Search

Find a vulnerability

Search criteria

    74 vulnerabilities found for communications_offline_mediation_controller by oracle

    CVE-2022-23307 (GCVE-0-2022-23307)

    Vulnerability from nvd – Published: 2022-01-18 15:25 – Updated: 2026-05-27 13:44
    VLAI
    Title
    A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.
    Summary
    CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Log4j 1.x Affected: 1.2.1 , < unspecified (custom)
    Affected: unspecified , ≤ 2.0-alpha1 (custom)
    Create a notification for this product.
    Credits
    @kingkk
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:36:20.396Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://logging.apache.org/log4j/1.2/index.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-23307",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T13:31:45.470568Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T13:44:43.452Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Log4j 1.x",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.2.1",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.0-alpha1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "@kingkk"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "other": "Critical"
                },
                "type": "unknown"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:49:30.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://logging.apache.org/log4j/1.2/index.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.",
          "workarounds": [
            {
              "lang": "en",
              "value": "Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2022-23307",
              "STATE": "PUBLIC",
              "TITLE": "A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution."
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Log4j 1.x",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.2.1"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "2.0-alpha1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "@kingkk"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {
                "other": "Critical"
              }
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-502 Deserialization of Untrusted Data"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://logging.apache.org/log4j/1.2/index.html",
                  "refsource": "MISC",
                  "url": "https://logging.apache.org/log4j/1.2/index.html"
                },
                {
                  "name": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0."
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-23307",
        "datePublished": "2022-01-18T15:25:23.000Z",
        "dateReserved": "2022-01-17T00:00:00.000Z",
        "dateUpdated": "2026-05-27T13:44:43.452Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-23305 (GCVE-0-2022-23305)

    Vulnerability from nvd – Published: 2022-01-18 15:25 – Updated: 2026-05-27 13:40
    VLAI
    Title
    SQL injection in JDBC Appender in Apache Log4j V1
    Summary
    By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Log4j 1.x Affected: 1.2.1 , < unspecified (custom)
    Affected: unspecified , < 2.0-alpha1 (custom)
    Create a notification for this product.
    Credits
    Daniel Martin of NCC Group
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:36:20.421Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://logging.apache.org/log4j/1.2/index.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y"
              },
              {
                "name": "[oss-security] 20220118 CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/18/4"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20220217-0007/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-23305",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T13:32:51.484506Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T13:40:57.853Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Log4j 1.x",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.2.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0-alpha1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Daniel Martin of NCC Group"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "other": "high"
                },
                "type": "unknown"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:49:18.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://logging.apache.org/log4j/1.2/index.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y"
            },
            {
              "name": "[oss-security] 20220118 CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/18/4"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20220217-0007/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "SQL injection in JDBC Appender in Apache Log4j V1",
          "workarounds": [
            {
              "lang": "en",
              "value": "Users should upgrade to Log4j 2 or remove usage of the JDBCAppender from their configurations."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2022-23305",
              "STATE": "PUBLIC",
              "TITLE": "SQL injection in JDBC Appender in Apache Log4j V1"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Log4j 1.x",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.2.1"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.0-alpha1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Daniel Martin of NCC Group"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {
                "other": "high"
              }
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://logging.apache.org/log4j/1.2/index.html",
                  "refsource": "MISC",
                  "url": "https://logging.apache.org/log4j/1.2/index.html"
                },
                {
                  "name": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y"
                },
                {
                  "name": "[oss-security] 20220118 CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/18/4"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20220217-0007/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20220217-0007/"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "Users should upgrade to Log4j 2 or remove usage of the JDBCAppender from their configurations."
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-23305",
        "datePublished": "2022-01-18T15:25:22.000Z",
        "dateReserved": "2022-01-17T00:00:00.000Z",
        "dateUpdated": "2026-05-27T13:40:57.853Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-23302 (GCVE-0-2022-23302)

    Vulnerability from nvd – Published: 2022-01-18 15:25 – Updated: 2026-05-27 13:46
    VLAI
    Title
    Deserialization of untrusted data in JMSSink in Apache Log4j 1.x
    Summary
    JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Log4j 1.x Affected: 1.0.1 , < unspecified (custom)
    Affected: unspecified , < 2.0-alpha1 (custom)
    Create a notification for this product.
    Credits
    Eduardo' Vela, Maksim Shudrak and Jacob Butler from Google.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-07-07T17:47:01.136Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://www.vicarius.io/vsociety/posts/cve-2022-23302-detect-log4j-1217-vulnerability"
              },
              {
                "url": "https://www.vicarius.io/vsociety/posts/cve-2022-23302-mitigate-log4j-1217-vulnerability"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://logging.apache.org/log4j/1.2/index.html"
              },
              {
                "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20220217-0006/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container",
            "x_generator": {
              "engine": "ADPogram 0.0.1"
            }
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-23302",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T13:40:24.478659Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T13:46:05.384Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Log4j 1.x",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0-alpha1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Eduardo\u0027 Vela, Maksim Shudrak and Jacob Butler from Google."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "other": "high"
                },
                "type": "unknown"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:49:03.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://logging.apache.org/log4j/1.2/index.html"
            },
            {
              "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20220217-0006/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
          "workarounds": [
            {
              "lang": "en",
              "value": "Users should upgrade to Log4j 2 or remove usage of the JMSSink from their configurations."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2022-23302",
              "STATE": "PUBLIC",
              "TITLE": "Deserialization of untrusted data in JMSSink in Apache Log4j 1.x"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Log4j 1.x",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.1"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.0-alpha1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Eduardo\u0027 Vela, Maksim Shudrak and Jacob Butler from Google."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {
                "other": "high"
              }
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-502 Deserialization of Untrusted Data"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w"
                },
                {
                  "name": "https://logging.apache.org/log4j/1.2/index.html",
                  "refsource": "MISC",
                  "url": "https://logging.apache.org/log4j/1.2/index.html"
                },
                {
                  "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20220217-0006/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20220217-0006/"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "Users should upgrade to Log4j 2 or remove usage of the JMSSink from their configurations."
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-23302",
        "datePublished": "2022-01-18T15:25:20.000Z",
        "dateReserved": "2022-01-16T00:00:00.000Z",
        "dateUpdated": "2026-05-27T13:46:05.384Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-44832 (GCVE-0-2021-44832)

    Vulnerability from nvd – Published: 2021-12-28 19:35 – Updated: 2026-05-29 18:53
    VLAI
    Title
    Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration
    Summary
    Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Log4j2 Affected: log4j-core , < 2.17.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:32:13.076Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_CISCO",
                  "x_transferred"
                ],
                "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://issues.apache.org/jira/browse/LOG4J2-3293"
              },
              {
                "name": "[oss-security] 20211228 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/12/28/1"
              },
              {
                "name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"
              },
              {
                "name": "FEDORA-2021-c6f471ce0f",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"
              },
              {
                "name": "FEDORA-2021-1bd9151bab",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20220104-0001/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 6.6,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-44832",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T18:53:35.535632Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T18:53:46.103Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Log4j2",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.13.0",
                      "status": "affected"
                    },
                    {
                      "at": "2.12.4",
                      "status": "unaffected"
                    },
                    {
                      "at": "2.4",
                      "status": "affected"
                    },
                    {
                      "at": "2.3.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "2.0-beta7",
                      "status": "affected"
                    }
                  ],
                  "lessThan": "2.17.1",
                  "status": "affected",
                  "version": "log4j-core",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "other": "moderate"
                },
                "type": "unknown"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:41:33.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
              "tags": [
                "vendor-advisory",
                "x_refsource_CISCO"
              ],
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://issues.apache.org/jira/browse/LOG4J2-3293"
            },
            {
              "name": "[oss-security] 20211228 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/12/28/1"
            },
            {
              "name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"
            },
            {
              "name": "FEDORA-2021-c6f471ce0f",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"
            },
            {
              "name": "FEDORA-2021-1bd9151bab",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20220104-0001/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "source": {
            "defect": [
              "LOG4J2-3293",
              ""
            ],
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2021-12-27T00:00:00.000Z",
              "value": "reported"
            },
            {
              "lang": "en",
              "time": "2021-12-27T00:00:00.000Z",
              "value": "patch proposed, 2.17.1-rc1"
            },
            {
              "lang": "en",
              "time": "2021-12-28T00:00:00.000Z",
              "value": "fixed"
            },
            {
              "lang": "en",
              "time": "2021-12-28T00:00:00.000Z",
              "value": "public"
            }
          ],
          "title": "Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2021-44832",
              "STATE": "PUBLIC",
              "TITLE": "Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Log4j2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "log4j-core",
                                "version_value": "2.17.1"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_name": "log4j-core",
                                "version_value": "2.13.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "log4j-core",
                                "version_value": "2.12.4"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_name": "log4j-core",
                                "version_value": "2.4"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "log4j-core",
                                "version_value": "2.3.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_name": "log4j-core",
                                "version_value": "2.0-beta7"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {
                "other": "moderate"
              }
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
                  "refsource": "CISCO",
                  "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
                },
                {
                  "name": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"
                },
                {
                  "name": "https://issues.apache.org/jira/browse/LOG4J2-3293",
                  "refsource": "MISC",
                  "url": "https://issues.apache.org/jira/browse/LOG4J2-3293"
                },
                {
                  "name": "[oss-security] 20211228 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2021/12/28/1"
                },
                {
                  "name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"
                },
                {
                  "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf",
                  "refsource": "CONFIRM",
                  "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"
                },
                {
                  "name": "FEDORA-2021-c6f471ce0f",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"
                },
                {
                  "name": "FEDORA-2021-1bd9151bab",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20220104-0001/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20220104-0001/"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            },
            "source": {
              "defect": [
                "LOG4J2-3293",
                ""
              ],
              "discovery": "UNKNOWN"
            },
            "timeline": [
              {
                "lang": "en",
                "time": "2021-12-27T00:00:00.000Z",
                "value": "reported"
              },
              {
                "lang": "en",
                "time": "2021-12-27T00:00:00.000Z",
                "value": "patch proposed, 2.17.1-rc1"
              },
              {
                "lang": "en",
                "time": "2021-12-28T00:00:00.000Z",
                "value": "fixed"
              },
              {
                "lang": "en",
                "time": "2021-12-28T00:00:00.000Z",
                "value": "public"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2021-44832",
        "datePublished": "2021-12-28T19:35:11.000Z",
        "dateReserved": "2021-12-11T00:00:00.000Z",
        "dateUpdated": "2026-05-29T18:53:46.103Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-4104 (GCVE-0-2021-4104)

    Vulnerability from nvd – Published: 2021-12-14 00:00 – Updated: 2026-05-28 19:53
    VLAI
    Title
    Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
    Summary
    JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Log4j 1.x Affected: Apache Log4j 1.2 1.2.x
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:16:04.172Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2021-4104"
              },
              {
                "name": "VU#930724",
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://www.kb.cert.org/vuls/id/930724"
              },
              {
                "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20211223-0007/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              },
              {
                "name": "GLSA-202209-02",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202209-02"
              },
              {
                "name": "GLSA-202310-16",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202310-16"
              },
              {
                "name": "GLSA-202312-02",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202312-02"
              },
              {
                "name": "GLSA-202312-04",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202312-04"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-4104",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2023-12-20T16:29:18.701121Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T19:53:14.378Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Log4j 1.x",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "Apache Log4j 1.2 1.2.x"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-12-22T09:06:15.357Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
            },
            {
              "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126"
            },
            {
              "url": "https://access.redhat.com/security/cve/CVE-2021-4104"
            },
            {
              "name": "VU#930724",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.kb.cert.org/vuls/id/930724"
            },
            {
              "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20211223-0007/"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            },
            {
              "name": "GLSA-202209-02",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202209-02"
            },
            {
              "name": "GLSA-202310-16",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202310-16"
            },
            {
              "name": "GLSA-202312-02",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202312-02"
            },
            {
              "name": "GLSA-202312-04",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202312-04"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2021-4104",
        "datePublished": "2021-12-14T00:00:00.000Z",
        "dateReserved": "2021-12-13T00:00:00.000Z",
        "dateUpdated": "2026-05-28T19:53:14.378Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-29425 (GCVE-0-2021-29425)

    Vulnerability from nvd – Published: 2021-04-13 06:50 – Updated: 2024-08-03 22:02
    VLAI
    Title
    Possible limited path traversal vulnerabily in Apache Commons IO
    Summary
    In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
    Severity
    No CVSS data available.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    URL Tags
    https://issues.apache.org/jira/browse/IO-556 x_refsource_MISC
    https://lists.apache.org/thread.html/rc359823b550… x_refsource_MISC
    https://lists.apache.org/thread.html/rfd01af05bab… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r8efcbabde97… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r873d5ddafc0… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r0d73e2071d1… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r47ab6f68cbb… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/raa053846cae… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r8569a41d565… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rfa2f08b7c0c… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r1c2f4683c35… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r27b1eedda37… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ra8ef65aedc0… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r523a6ffad58… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rbebd3e19651… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r2bc986a0704… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r2721aba31a8… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r345330b7858… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rad4ae544747… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r808be7d93b1… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rc65f9bc679f… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rc2dd3204260… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r2df50af2641… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r8bfc7235e6b… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r92ea904f4ba… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rfcd2c649c20… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r2345b49dbff… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r477c285126a… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rc10fa20ef4d… mailing-listx_refsource_MLIST
    https://lists.debian.org/debian-lts-announce/2021… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rca71a10ca53… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/re41e9967bee… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rd09d4ab3e32… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r01b4a1fcdf3… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/red3aea91040… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r20416f39ca7… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r86528f4b7d2… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rc5f3df5316c… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r0bfa8f7921a… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r462db908acc… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r4050f9f6b42… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r5149f78be26… mailing-listx_refsource_MLIST
    https://www.oracle.com/security-alerts/cpuoct2021.html x_refsource_MISC
    https://www.oracle.com/security-alerts/cpujan2022.html x_refsource_MISC
    https://www.oracle.com/security-alerts/cpuapr2022.html x_refsource_MISC
    https://security.netapp.com/advisory/ntap-2022021… x_refsource_CONFIRM
    https://www.oracle.com/security-alerts/cpujul2022.html x_refsource_MISC
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Commons IO Affected: Apache Commons IO 2.2
    Affected: Apache Commons IO 2.3
    Affected: Apache Commons IO 2.4
    Affected: Apache Commons IO 2.5
    Affected: Apache Commons IO 2.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T22:02:51.887Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://issues.apache.org/jira/browse/IO-556"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
              },
              {
                "name": "[commons-dev] 20210414 Re: [all] OSS Fuzz",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330%40%3Cdev.commons.apache.org%3E"
              },
              {
                "name": "[commons-dev] 20210415 Re: [all] OSS Fuzz",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31%40%3Cdev.commons.apache.org%3E"
              },
              {
                "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] lhotari opened a new pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04%40%3Ccommits.pulsar.apache.org%3E"
              },
              {
                "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] merlimat merged pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436%40%3Ccommits.pulsar.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210427 [jira] [Closed] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210427 [jira] [Created] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210427 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210427 [jira] [Updated] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[pulsar-commits] 20210429 [pulsar] branch branch-2.7 updated: [Security] Upgrade commons-io to address CVE-2021-29425 (#10287)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71%40%3Ccommits.pulsar.apache.org%3E"
              },
              {
                "name": "[myfaces-dev] 20210504 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #808: build: CVE fix",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34%40%3Cdev.myfaces.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210518 [jira] [Created] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210518 [jira] [Commented] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210518 [jira] [Assigned] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210518 [jira] [Updated] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[kafka-users] 20210617 vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210621 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[commons-user] 20210709 commons-fileupload dependency and CVE",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a%40%3Cuser.commons.apache.org%3E"
              },
              {
                "name": "[commons-user] 20210709 Re: commons-fileupload dependency and CVE",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa%40%3Cuser.commons.apache.org%3E"
              },
              {
                "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0%40%3Cpluto-dev.portals.apache.org%3E"
              },
              {
                "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80%40%3Cpluto-dev.portals.apache.org%3E"
              },
              {
                "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-789 Upgrade to commons-io-2.7 due to CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e%40%3Cpluto-scm.portals.apache.org%3E"
              },
              {
                "name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29%40%3Cissues.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg opened a new pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-dev] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d%40%3Cdev.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-issues] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2%40%3Cissues.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210806 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[debian-lts-announce] 20210812 [SECURITY] [DLA 2741-1] commons-io security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html"
              },
              {
                "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210901 [GitHub] [zookeeper] ztzg closed pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-commits] 20210901 [zookeeper] branch master updated: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2%40%3Ccommits.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b%40%3Cissues.zookeeper.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20220210-0004/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Commons IO",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "Apache Commons IO 2.2"
                },
                {
                  "status": "affected",
                  "version": "Apache Commons IO 2.3"
                },
                {
                  "status": "affected",
                  "version": "Apache Commons IO 2.4"
                },
                {
                  "status": "affected",
                  "version": "Apache Commons IO 2.5"
                },
                {
                  "status": "affected",
                  "version": "Apache Commons IO 2.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:27:07.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://issues.apache.org/jira/browse/IO-556"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
            },
            {
              "name": "[commons-dev] 20210414 Re: [all] OSS Fuzz",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330%40%3Cdev.commons.apache.org%3E"
            },
            {
              "name": "[commons-dev] 20210415 Re: [all] OSS Fuzz",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31%40%3Cdev.commons.apache.org%3E"
            },
            {
              "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] lhotari opened a new pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04%40%3Ccommits.pulsar.apache.org%3E"
            },
            {
              "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] merlimat merged pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436%40%3Ccommits.pulsar.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210427 [jira] [Closed] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210427 [jira] [Created] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210427 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210427 [jira] [Updated] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[pulsar-commits] 20210429 [pulsar] branch branch-2.7 updated: [Security] Upgrade commons-io to address CVE-2021-29425 (#10287)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71%40%3Ccommits.pulsar.apache.org%3E"
            },
            {
              "name": "[myfaces-dev] 20210504 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #808: build: CVE fix",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34%40%3Cdev.myfaces.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210518 [jira] [Created] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210518 [jira] [Commented] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210518 [jira] [Assigned] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210518 [jira] [Updated] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[kafka-users] 20210617 vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210621 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[commons-user] 20210709 commons-fileupload dependency and CVE",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a%40%3Cuser.commons.apache.org%3E"
            },
            {
              "name": "[commons-user] 20210709 Re: commons-fileupload dependency and CVE",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa%40%3Cuser.commons.apache.org%3E"
            },
            {
              "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0%40%3Cpluto-dev.portals.apache.org%3E"
            },
            {
              "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80%40%3Cpluto-dev.portals.apache.org%3E"
            },
            {
              "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-789 Upgrade to commons-io-2.7 due to CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e%40%3Cpluto-scm.portals.apache.org%3E"
            },
            {
              "name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29%40%3Cissues.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg opened a new pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-dev] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d%40%3Cdev.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-issues] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2%40%3Cissues.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210806 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[debian-lts-announce] 20210812 [SECURITY] [DLA 2741-1] commons-io security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html"
            },
            {
              "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210901 [GitHub] [zookeeper] ztzg closed pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-commits] 20210901 [zookeeper] branch master updated: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2%40%3Ccommits.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b%40%3Cissues.zookeeper.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20220210-0004/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "source": {
            "defect": [
              "IO-556",
              "IO-559"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Possible limited path traversal vulnerabily in Apache Commons IO",
          "workarounds": [
            {
              "lang": "en",
              "value": "Neither the method in question (FileNameUtils.normalize) nor any methods, that invoke it, do actually access any files. There\u0027s only a string returned, from which a path can be constructed. In other words, a possible workaround would be not passing any unsafe input to FileNameUtils.normalize."
            },
            {
              "lang": "en",
              "value": "Upgrade to Apache Commons IO 2.7, or later, where the same method returns the value null, as an indication of \"invalid input\"."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2021-29425",
              "STATE": "PUBLIC",
              "TITLE": "Possible limited path traversal vulnerabily in Apache Commons IO"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Commons IO",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_name": "Apache Commons IO",
                                "version_value": "2.2"
                              },
                              {
                                "version_affected": "=",
                                "version_name": "Apache Commons IO",
                                "version_value": "2.3"
                              },
                              {
                                "version_affected": "=",
                                "version_name": "Apache Commons IO",
                                "version_value": "2.4"
                              },
                              {
                                "version_affected": "=",
                                "version_name": "Apache Commons IO",
                                "version_value": "2.5"
                              },
                              {
                                "version_affected": "=",
                                "version_name": "Apache Commons IO",
                                "version_value": "2.6"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://issues.apache.org/jira/browse/IO-556",
                  "refsource": "MISC",
                  "url": "https://issues.apache.org/jira/browse/IO-556"
                },
                {
                  "name": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
                },
                {
                  "name": "[commons-dev] 20210414 Re: [all] OSS Fuzz",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E"
                },
                {
                  "name": "[commons-dev] 20210415 Re: [all] OSS Fuzz",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E"
                },
                {
                  "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] lhotari opened a new pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E"
                },
                {
                  "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] merlimat merged pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210427 [jira] [Closed] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210427 [jira] [Created] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210427 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210427 [jira] [Updated] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[pulsar-commits] 20210429 [pulsar] branch branch-2.7 updated: [Security] Upgrade commons-io to address CVE-2021-29425 (#10287)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71@%3Ccommits.pulsar.apache.org%3E"
                },
                {
                  "name": "[myfaces-dev] 20210504 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #808: build: CVE fix",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210518 [jira] [Created] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210518 [jira] [Commented] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210518 [jira] [Assigned] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210518 [jira] [Updated] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[kafka-users] 20210617 vulnerabilities",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210621 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[commons-user] 20210709 commons-fileupload dependency and CVE",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a@%3Cuser.commons.apache.org%3E"
                },
                {
                  "name": "[commons-user] 20210709 Re: commons-fileupload dependency and CVE",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa@%3Cuser.commons.apache.org%3E"
                },
                {
                  "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0@%3Cpluto-dev.portals.apache.org%3E"
                },
                {
                  "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80@%3Cpluto-dev.portals.apache.org%3E"
                },
                {
                  "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-789 Upgrade to commons-io-2.7 due to CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E"
                },
                {
                  "name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg opened a new pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-dev] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d@%3Cdev.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-issues] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2@%3Cissues.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210806 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[debian-lts-announce] 20210812 [SECURITY] [DLA 2741-1] commons-io security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html"
                },
                {
                  "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210901 [GitHub] [zookeeper] ztzg closed pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-commits] 20210901 [zookeeper] branch master updated: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b@%3Cissues.zookeeper.apache.org%3E"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20220210-0004/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20220210-0004/"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            },
            "source": {
              "defect": [
                "IO-556",
                "IO-559"
              ],
              "discovery": "UNKNOWN"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "Neither the method in question (FileNameUtils.normalize) nor any methods, that invoke it, do actually access any files. There\u0027s only a string returned, from which a path can be constructed. In other words, a possible workaround would be not passing any unsafe input to FileNameUtils.normalize."
              },
              {
                "lang": "en",
                "value": "Upgrade to Apache Commons IO 2.7, or later, where the same method returns the value null, as an indication of \"invalid input\"."
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2021-29425",
        "datePublished": "2021-04-13T06:50:12.000Z",
        "dateReserved": "2021-03-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T22:02:51.887Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-28041 (GCVE-0-2021-28041)

    Vulnerability from nvd – Published: 2021-03-05 19:07 – Updated: 2024-08-03 21:33
    VLAI
    Summary
    ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:33:17.327Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.openssh.com/security.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2021/03/03/1"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.openssh.com/txt/release-8.5"
              },
              {
                "name": "FEDORA-2021-f68a5a75ba",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXST2CML2MWY3PNVUXX7FFJE3ATJMNVZ/"
              },
              {
                "name": "GLSA-202105-35",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202105-35"
              },
              {
                "name": "FEDORA-2021-1d3698089d",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQWGII3LQR4AOTPPFXGMTYE7UDEWIUKI/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210416-0002/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-07-20T22:56:32.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.openssh.com/security.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.openwall.com/lists/oss-security/2021/03/03/1"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.openssh.com/txt/release-8.5"
            },
            {
              "name": "FEDORA-2021-f68a5a75ba",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXST2CML2MWY3PNVUXX7FFJE3ATJMNVZ/"
            },
            {
              "name": "GLSA-202105-35",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "https://security.gentoo.org/glsa/202105-35"
            },
            {
              "name": "FEDORA-2021-1d3698089d",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQWGII3LQR4AOTPPFXGMTYE7UDEWIUKI/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210416-0002/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2021-28041",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.openssh.com/security.html",
                  "refsource": "MISC",
                  "url": "https://www.openssh.com/security.html"
                },
                {
                  "name": "https://www.openwall.com/lists/oss-security/2021/03/03/1",
                  "refsource": "MISC",
                  "url": "https://www.openwall.com/lists/oss-security/2021/03/03/1"
                },
                {
                  "name": "https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db",
                  "refsource": "MISC",
                  "url": "https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db"
                },
                {
                  "name": "https://www.openssh.com/txt/release-8.5",
                  "refsource": "MISC",
                  "url": "https://www.openssh.com/txt/release-8.5"
                },
                {
                  "name": "FEDORA-2021-f68a5a75ba",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXST2CML2MWY3PNVUXX7FFJE3ATJMNVZ/"
                },
                {
                  "name": "GLSA-202105-35",
                  "refsource": "GENTOO",
                  "url": "https://security.gentoo.org/glsa/202105-35"
                },
                {
                  "name": "FEDORA-2021-1d3698089d",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQWGII3LQR4AOTPPFXGMTYE7UDEWIUKI/"
                },
                {
                  "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20210416-0002/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20210416-0002/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2021-28041",
        "datePublished": "2021-03-05T19:07:34.000Z",
        "dateReserved": "2021-03-05T00:00:00.000Z",
        "dateUpdated": "2024-08-03T21:33:17.327Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-11987 (GCVE-0-2020-11987)

    Vulnerability from nvd – Published: 2021-02-24 00:00 – Updated: 2025-11-03 19:25
    VLAI
    Summary
    Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
    Severity
    No CVSS data available.
    CWE
    • Information Disclosure
    Assigner
    Impacted products
    Vendor Product Version
    n/a Apache Batik Affected: Apache Batik 1.13
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T19:25:28.147Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://xmlgraphics.apache.org/security.html"
              },
              {
                "name": "[poi-dev] 20210304 [Bug 65166] New: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E"
              },
              {
                "name": "[poi-dev] 20210308 [Bug 65166] Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E"
              },
              {
                "name": "FEDORA-2021-65ff5f10e2",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/"
              },
              {
                "name": "FEDORA-2021-33a1b73e48",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              },
              {
                "name": "[debian-lts-announce] 20231014 [SECURITY] [DLA 3619-1] batik security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html"
              },
              {
                "name": "GLSA-202401-11",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202401-11"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00006.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Batik",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Apache Batik 1.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Information Disclosure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-07T11:06:30.228Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "url": "https://xmlgraphics.apache.org/security.html"
            },
            {
              "name": "[poi-dev] 20210304 [Bug 65166] New: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E"
            },
            {
              "name": "[poi-dev] 20210308 [Bug 65166] Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E"
            },
            {
              "name": "FEDORA-2021-65ff5f10e2",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/"
            },
            {
              "name": "FEDORA-2021-33a1b73e48",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            },
            {
              "name": "[debian-lts-announce] 20231014 [SECURITY] [DLA 3619-1] batik security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html"
            },
            {
              "name": "GLSA-202401-11",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202401-11"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2020-11987",
        "datePublished": "2021-02-24T00:00:00.000Z",
        "dateReserved": "2020-04-21T00:00:00.000Z",
        "dateUpdated": "2025-11-03T19:25:28.147Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-23336 (GCVE-0-2021-23336)

    Vulnerability from nvd – Published: 2021-02-15 12:15 – Updated: 2025-12-17 21:16
    VLAI
    Title
    Web Cache Poisoning
    Summary
    The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Web Cache Poisoning
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    Assigner
    References
    URL Tags
    https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-…
    https://github.com/python/cpython/pull/24297
    https://snyk.io/blog/cache-poisoning-in-popular-o…
    http://www.openwall.com/lists/oss-security/2021/02/19/4 mailing-list
    https://lists.debian.org/debian-lts-announce/2021… mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.apache.org/thread.html/rf9fa47ab664… mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.debian.org/debian-lts-announce/2021… mailing-list
    https://lists.debian.org/debian-lts-announce/2021… mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://security.gentoo.org/glsa/202104-04 vendor-advisory
    https://lists.apache.org/thread.html/ra8ce70088ba… mailing-list
    http://www.openwall.com/lists/oss-security/2021/05/01/2 mailing-list
    https://lists.apache.org/thread.html/rc005f4de9d9… mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://www.oracle.com/security-alerts/cpuApr2021.html
    https://security.netapp.com/advisory/ntap-2021032…
    https://www.oracle.com//security-alerts/cpujul2021.html
    https://www.oracle.com/security-alerts/cpuoct2021.html
    https://www.oracle.com/security-alerts/cpujan2022.html
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    Impacted products
    Vendor Product Version
    n/a python/cpython Affected: 0 , < unspecified (custom)
    Affected: unspecified , < 3.6.13 (custom)
    Affected: 3.7.0 , < unspecified (custom)
    Affected: unspecified , < 3.7.10 (custom)
    Affected: 3.8.0 , < unspecified (custom)
    Affected: unspecified , < 3.8.8 (custom)
    Affected: 3.9.0 , < unspecified (custom)
    Affected: unspecified , < 3.9.2 (custom)
    Date Public
    2021-02-15 00:00
    Credits
    Snyk Security Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.612Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/python/cpython/pull/24297"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/"
              },
              {
                "name": "[oss-security] 20210219 Django security releases: CVE-2021-23336: Web cache poisoning via ``django.utils.http.limited_parse_qsl()``",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/02/19/4"
              },
              {
                "name": "[debian-lts-announce] 20210219 [SECURITY] [DLA 2569-1] python-django security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html"
              },
              {
                "name": "FEDORA-2021-7547ad987f",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/"
              },
              {
                "name": "FEDORA-2021-f4fd9372c7",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/"
              },
              {
                "name": "FEDORA-2021-3352c1c802",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/"
              },
              {
                "name": "FEDORA-2021-7d3a9004e2",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/"
              },
              {
                "name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"
              },
              {
                "name": "FEDORA-2021-907f3bacae",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/"
              },
              {
                "name": "FEDORA-2021-7c1bb32d13",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/"
              },
              {
                "name": "FEDORA-2021-b1843407ca",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/"
              },
              {
                "name": "FEDORA-2021-2897f5366c",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/"
              },
              {
                "name": "FEDORA-2021-b326fcb83f",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/"
              },
              {
                "name": "FEDORA-2021-1bb399a5af",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/"
              },
              {
                "name": "FEDORA-2021-ef83e8525a",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/"
              },
              {
                "name": "FEDORA-2021-b76ede8f4d",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/"
              },
              {
                "name": "FEDORA-2021-309bc2e727",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/"
              },
              {
                "name": "FEDORA-2021-5a09621ebb",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/"
              },
              {
                "name": "FEDORA-2021-e22bb0e548",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/"
              },
              {
                "name": "FEDORA-2021-e525e48886",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/"
              },
              {
                "name": "[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html"
              },
              {
                "name": "[debian-lts-announce] 20210417 [SECURITY] [DLA 2628-1] python2.7 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html"
              },
              {
                "name": "FEDORA-2021-b6b6093b3a",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/"
              },
              {
                "name": "GLSA-202104-04",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202104-04"
              },
              {
                "name": "[airflow-users] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"
              },
              {
                "name": "[oss-security] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
              },
              {
                "name": "[announce] 20210501 Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E"
              },
              {
                "name": "FEDORA-2021-98720f3785",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/"
              },
              {
                "name": "FEDORA-2021-12df7f7382",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210326-0004/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "name": "[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-23336",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-17T21:16:05.233145Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-444",
                    "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-17T21:16:09.153Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "python/cpython",
              "vendor": "n/a",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.6.13",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "3.7.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.7.10",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "3.8.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.8.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "3.9.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.9.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Snyk Security Team"
            }
          ],
          "datePublic": "2021-02-15T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "exploitCodeMaturity": "PROOF_OF_CONCEPT",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "remediationLevel": "UNAVAILABLE",
                "reportConfidence": "CONFIRMED",
                "scope": "UNCHANGED",
                "temporalScore": 5.6,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H/E:P/RL:U/RC:C",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Web Cache Poisoning",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-20T21:06:13.958Z",
            "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
            "shortName": "snyk"
          },
          "references": [
            {
              "url": "https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933"
            },
            {
              "url": "https://github.com/python/cpython/pull/24297"
            },
            {
              "url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/"
            },
            {
              "name": "[oss-security] 20210219 Django security releases: CVE-2021-23336: Web cache poisoning via ``django.utils.http.limited_parse_qsl()``",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/02/19/4"
            },
            {
              "name": "[debian-lts-announce] 20210219 [SECURITY] [DLA 2569-1] python-django security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html"
            },
            {
              "name": "FEDORA-2021-7547ad987f",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/"
            },
            {
              "name": "FEDORA-2021-f4fd9372c7",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/"
            },
            {
              "name": "FEDORA-2021-3352c1c802",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/"
            },
            {
              "name": "FEDORA-2021-7d3a9004e2",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/"
            },
            {
              "name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"
            },
            {
              "name": "FEDORA-2021-907f3bacae",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/"
            },
            {
              "name": "FEDORA-2021-7c1bb32d13",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/"
            },
            {
              "name": "FEDORA-2021-b1843407ca",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/"
            },
            {
              "name": "FEDORA-2021-2897f5366c",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/"
            },
            {
              "name": "FEDORA-2021-b326fcb83f",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/"
            },
            {
              "name": "FEDORA-2021-1bb399a5af",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/"
            },
            {
              "name": "FEDORA-2021-ef83e8525a",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/"
            },
            {
              "name": "FEDORA-2021-b76ede8f4d",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/"
            },
            {
              "name": "FEDORA-2021-309bc2e727",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/"
            },
            {
              "name": "FEDORA-2021-5a09621ebb",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/"
            },
            {
              "name": "FEDORA-2021-e22bb0e548",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/"
            },
            {
              "name": "FEDORA-2021-e525e48886",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/"
            },
            {
              "name": "[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html"
            },
            {
              "name": "[debian-lts-announce] 20210417 [SECURITY] [DLA 2628-1] python2.7 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html"
            },
            {
              "name": "FEDORA-2021-b6b6093b3a",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/"
            },
            {
              "name": "GLSA-202104-04",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202104-04"
            },
            {
              "name": "[airflow-users] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"
            },
            {
              "name": "[oss-security] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
            },
            {
              "name": "[announce] 20210501 Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E"
            },
            {
              "name": "FEDORA-2021-98720f3785",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/"
            },
            {
              "name": "FEDORA-2021-12df7f7382",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20210326-0004/"
            },
            {
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "name": "[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"
            }
          ],
          "title": "Web Cache Poisoning"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "assignerShortName": "snyk",
        "cveId": "CVE-2021-23336",
        "datePublished": "2021-02-15T12:15:20.788Z",
        "dateReserved": "2021-01-08T00:00:00.000Z",
        "dateUpdated": "2025-12-17T21:16:09.153Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-3177 (GCVE-0-2021-3177)

    Vulnerability from nvd – Published: 2021-01-19 00:00 – Updated: 2025-12-18 15:03
    VLAI
    Summary
    Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
    Assigner
    References
    URL Tags
    https://bugs.python.org/issue42938
    https://github.com/python/cpython/pull/24239
    https://python-security.readthedocs.io/vuln/ctype…
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://security.gentoo.org/glsa/202101-18 vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.apache.org/thread.html/rf9fa47ab664… mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.debian.org/debian-lts-announce/2021… mailing-list
    https://www.oracle.com//security-alerts/cpujul2021.html
    https://news.ycombinator.com/item?id=26185005
    https://security.netapp.com/advisory/ntap-2021022…
    https://www.oracle.com/security-alerts/cpuoct2021.html
    https://www.oracle.com/security-alerts/cpujan2022.html
    https://lists.debian.org/debian-lts-announce/2022… mailing-list
    https://www.oracle.com/security-alerts/cpujul2022.html
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T16:45:51.394Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugs.python.org/issue42938"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/python/cpython/pull/24239"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html"
              },
              {
                "name": "FEDORA-2021-faf88b9499",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MGSV6BJQLRQ6RKVUXK7JGU7TP4QFGQXC/"
              },
              {
                "name": "FEDORA-2021-cc3ff94cfc",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NQPARTLNSFQVMMQHPNBFOCOZOO3TMQNA/"
              },
              {
                "name": "GLSA-202101-18",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202101-18"
              },
              {
                "name": "FEDORA-2021-e3a5a74610",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7GZV74KM72O2PEJN2C4XP3V5Q5MZUOO/"
              },
              {
                "name": "FEDORA-2021-ced31f3f0c",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCFZMVRQUKCBQIG5F2CBVADK63NFSE4A/"
              },
              {
                "name": "FEDORA-2021-42ba9feb47",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRHOCQYX3QLDGDQGTWQAUUT2GGIZCZUO/"
              },
              {
                "name": "FEDORA-2021-076a2dccba",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXSMBHES3ANXXS2RSO5G6Q24BR4B2PWK/"
              },
              {
                "name": "FEDORA-2021-851c6e4e2d",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6XJAULOS5JVB2L67NCKKMJ5NTKZJBSD/"
              },
              {
                "name": "FEDORA-2021-66547ff92d",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDTZVGSXQ7HR7OCGSUHTRNTMBG43OMKU/"
              },
              {
                "name": "FEDORA-2021-17668e344a",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4KSYYWMGAKOA2JVCQA422OINT6CKQ7O/"
              },
              {
                "name": "FEDORA-2021-d5cde50865",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPE7SMXYUIWPOIZV4DQYXODRXMFX3C5E/"
              },
              {
                "name": "FEDORA-2021-7547ad987f",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/"
              },
              {
                "name": "FEDORA-2021-f4fd9372c7",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/"
              },
              {
                "name": "FEDORA-2021-3352c1c802",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/"
              },
              {
                "name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"
              },
              {
                "name": "FEDORA-2021-907f3bacae",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/"
              },
              {
                "name": "[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=26185005"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210226-0003/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "name": "[debian-lts-announce] 20220212 [SECURITY] [DLA 2919-1] python2.7 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00013.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              },
              {
                "name": "[debian-lts-announce] 20230524 [SECURITY] [DLA 3432-1] python2.7 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-3177",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-18T15:03:29.016940Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-120",
                    "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-18T15:03:34.545Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-24T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://bugs.python.org/issue42938"
            },
            {
              "url": "https://github.com/python/cpython/pull/24239"
            },
            {
              "url": "https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html"
            },
            {
              "name": "FEDORA-2021-faf88b9499",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MGSV6BJQLRQ6RKVUXK7JGU7TP4QFGQXC/"
            },
            {
              "name": "FEDORA-2021-cc3ff94cfc",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NQPARTLNSFQVMMQHPNBFOCOZOO3TMQNA/"
            },
            {
              "name": "GLSA-202101-18",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202101-18"
            },
            {
              "name": "FEDORA-2021-e3a5a74610",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7GZV74KM72O2PEJN2C4XP3V5Q5MZUOO/"
            },
            {
              "name": "FEDORA-2021-ced31f3f0c",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCFZMVRQUKCBQIG5F2CBVADK63NFSE4A/"
            },
            {
              "name": "FEDORA-2021-42ba9feb47",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRHOCQYX3QLDGDQGTWQAUUT2GGIZCZUO/"
            },
            {
              "name": "FEDORA-2021-076a2dccba",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXSMBHES3ANXXS2RSO5G6Q24BR4B2PWK/"
            },
            {
              "name": "FEDORA-2021-851c6e4e2d",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6XJAULOS5JVB2L67NCKKMJ5NTKZJBSD/"
            },
            {
              "name": "FEDORA-2021-66547ff92d",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDTZVGSXQ7HR7OCGSUHTRNTMBG43OMKU/"
            },
            {
              "name": "FEDORA-2021-17668e344a",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4KSYYWMGAKOA2JVCQA422OINT6CKQ7O/"
            },
            {
              "name": "FEDORA-2021-d5cde50865",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPE7SMXYUIWPOIZV4DQYXODRXMFX3C5E/"
            },
            {
              "name": "FEDORA-2021-7547ad987f",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/"
            },
            {
              "name": "FEDORA-2021-f4fd9372c7",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/"
            },
            {
              "name": "FEDORA-2021-3352c1c802",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/"
            },
            {
              "name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"
            },
            {
              "name": "FEDORA-2021-907f3bacae",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/"
            },
            {
              "name": "[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html"
            },
            {
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "url": "https://news.ycombinator.com/item?id=26185005"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20210226-0003/"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "name": "[debian-lts-announce] 20220212 [SECURITY] [DLA 2919-1] python2.7 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00013.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            },
            {
              "name": "[debian-lts-announce] 20230524 [SECURITY] [DLA 3432-1] python2.7 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2021-3177",
        "datePublished": "2021-01-19T00:00:00.000Z",
        "dateReserved": "2021-01-19T00:00:00.000Z",
        "dateUpdated": "2025-12-18T15:03:34.545Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2020-36183 (GCVE-0-2020-36183)

    Vulnerability from nvd – Published: 2021-01-06 22:30 – Updated: 2024-08-04 17:23
    VLAI
    Summary
    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:23:09.407Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/FasterXML/jackson-databind/issues/3003"
              },
              {
                "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:21:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/FasterXML/jackson-databind/issues/3003"
            },
            {
              "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-36183",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
                  "refsource": "MISC",
                  "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
                },
                {
                  "name": "https://github.com/FasterXML/jackson-databind/issues/3003",
                  "refsource": "MISC",
                  "url": "https://github.com/FasterXML/jackson-databind/issues/3003"
                },
                {
                  "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
                },
                {
                  "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-36183",
        "datePublished": "2021-01-06T22:30:15.000Z",
        "dateReserved": "2021-01-06T00:00:00.000Z",
        "dateUpdated": "2024-08-04T17:23:09.407Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36182 (GCVE-0-2020-36182)

    Vulnerability from nvd – Published: 2021-01-06 22:30 – Updated: 2024-08-04 17:23
    VLAI
    Summary
    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    fasterxml jackson-databind Affected: 0 , < 2.9.10.8 (custom)
        cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
    Create a notification for this product.
    debian debian_linux Affected: 8.0
        cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    Create a notification for this product.
    netapp steelstore_cloud_integrated_storage Affected: *
        cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle agile_plm Affected: 9.3.6
        cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle autovue_for_agile_product_lifecycle_management Affected: 21.0.2
        cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle banking_digital_experience Affected: 18.1 , ≤ 18.3 (custom)
    Affected: 19.1 , ≤ 19.2 (custom)
    Affected: 20.1
    Affected: 2.4.0 , ≤ 2.9.0 (custom)
        cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_calendar_server Affected: 8.0.0.4.0 , ≤ 8.0.0.5.0 (custom)
        cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_diameter_signaling_router Affected: 8.0.0 , ≤ 8.2.2 (custom)
        cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_element_manager Affected: 8.2.0 , ≤ 8.2.2 (custom)
        cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_evolved_communications_application_server Affected: 7.1
        cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_instant_messaging_server Affected: 10.0.1.4.0
        cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_network_charging_and_control Affected: 6.0.1
        cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_network_charging_and_control Affected: 12.0.0 , ≤ 12.0.3 (custom)
        cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_session_route_manager Affected: 8.2.0 , ≤ 8.2.2 (custom)
        cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle enterprise_manager_base_platform Affected: 13.3.0.0 , ≤ 13.4.0.0 (custom)
        cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle financial_services_analytical_applications_infrastructure Affected: 8.0.6 , ≤ 8.1.0 (custom)
        cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle financial_services_institutional_performance_analytics Affected: 8.0.6
    Affected: 8.0.7
    Affected: 8.1.0
        cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle financial_services_price_creation_and_discovery Affected: 8.0.6 , ≤ 8.0.7 (custom)
        cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle financial_services_retail_customer_analytics Affected: 8.0.6
        cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle global_lifecycle_management_opatch Affected: 0 , ≤ 12.2.0.1.20 (custom)
        cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle insurance_policy_administration_j2ee Affected: 11.0.2.25 , < 11.1.0.15 (custom)
        cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle jd_edwards_enterpriseone_orchestrator Affected: 0 , ≤ 9.2.4.2 (custom)
        cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle primavera_unifier Affected: 16.1
    Affected: 16.2
    Affected: 17.7 , ≤ 17.12 (custom)
    Affected: 18.8
    Affected: 19.12
        cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle retail_merchandising_system Affected: 15.0
        cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle retail_sales_audit Affected: 14.1
        cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle retail_service_backbone Affected: 14.1
    Affected: 15.0
    Affected: 16.0
        cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle retail_xstore_point_of_service Affected: 15.0 , ≤ 19.0 (custom)
        cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle weblogic_server Affected: 12.2.1.3.0 , ≤ 12.2.1.4.0 (custom)
        cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jackson-databind",
                "vendor": "fasterxml",
                "versions": [
                  {
                    "lessThan": "2.9.10.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "debian_linux",
                "vendor": "debian",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "steelstore_cloud_integrated_storage",
                "vendor": "netapp",
                "versions": [
                  {
                    "status": "affected",
                    "version": "*"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "agile_plm",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "9.3.6"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "autovue_for_agile_product_lifecycle_management",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "21.0.2"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "banking_digital_experience",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "18.3",
                    "status": "affected",
                    "version": "18.1",
                    "versionType": "custom"
                  },
                  {
                    "lessThanOrEqual": "19.2",
                    "status": "affected",
                    "version": "19.1",
                    "versionType": "custom"
                  },
                  {
                    "status": "affected",
                    "version": "20.1"
                  },
                  {
                    "lessThanOrEqual": "2.9.0",
                    "status": "affected",
                    "version": "2.4.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_calendar_server",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.0.0.5.0",
                    "status": "affected",
                    "version": "8.0.0.4.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_diameter_signaling_router",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.2.2",
                    "status": "affected",
                    "version": "8.0.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_element_manager",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.2.2",
                    "status": "affected",
                    "version": "8.2.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_evolved_communications_application_server",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "7.1"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_instant_messaging_server",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "10.0.1.4.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_network_charging_and_control",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "6.0.1"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_network_charging_and_control",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "12.0.3",
                    "status": "affected",
                    "version": "12.0.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_session_route_manager",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.2.2",
                    "status": "affected",
                    "version": "8.2.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "enterprise_manager_base_platform",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "13.4.0.0",
                    "status": "affected",
                    "version": "13.3.0.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "financial_services_analytical_applications_infrastructure",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.1.0",
                    "status": "affected",
                    "version": "8.0.6",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "financial_services_institutional_performance_analytics",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.0.6"
                  },
                  {
                    "status": "affected",
                    "version": "8.0.7"
                  },
                  {
                    "status": "affected",
                    "version": "8.1.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "financial_services_price_creation_and_discovery",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.0.7",
                    "status": "affected",
                    "version": "8.0.6",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "financial_services_retail_customer_analytics",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.0.6"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "global_lifecycle_management_opatch",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "12.2.0.1.20",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "insurance_policy_administration_j2ee",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThan": "11.1.0.15",
                    "status": "affected",
                    "version": "11.0.2.25",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jd_edwards_enterpriseone_orchestrator",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "9.2.4.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "primavera_unifier",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "16.1"
                  },
                  {
                    "status": "affected",
                    "version": "16.2"
                  },
                  {
                    "lessThanOrEqual": "17.12",
                    "status": "affected",
                    "version": "17.7",
                    "versionType": "custom"
                  },
                  {
                    "status": "affected",
                    "version": "18.8"
                  },
                  {
                    "status": "affected",
                    "version": "19.12"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "retail_merchandising_system",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "15.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "retail_sales_audit",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "14.1"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "retail_service_backbone",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "14.1"
                  },
                  {
                    "status": "affected",
                    "version": "15.0"
                  },
                  {
                    "status": "affected",
                    "version": "16.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "retail_xstore_point_of_service",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "19.0",
                    "status": "affected",
                    "version": "15.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "weblogic_server",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "12.2.1.4.0",
                    "status": "affected",
                    "version": "12.2.1.3.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-36182",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-25T04:00:52.974482Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:12:28.014Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:23:09.677Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/FasterXML/jackson-databind/issues/3004"
              },
              {
                "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:20:53.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/FasterXML/jackson-databind/issues/3004"
            },
            {
              "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-36182",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
                  "refsource": "MISC",
                  "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
                },
                {
                  "name": "https://github.com/FasterXML/jackson-databind/issues/3004",
                  "refsource": "MISC",
                  "url": "https://github.com/FasterXML/jackson-databind/issues/3004"
                },
                {
                  "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
                },
                {
                  "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-36182",
        "datePublished": "2021-01-06T22:30:22.000Z",
        "dateReserved": "2021-01-06T00:00:00.000Z",
        "dateUpdated": "2024-08-04T17:23:09.677Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36180 (GCVE-0-2020-36180)

    Vulnerability from nvd – Published: 2021-01-06 22:30 – Updated: 2024-08-04 17:23
    VLAI
    Summary
    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    fasterxml jackson-databind Affected: 0 , < 2.9.10.8 (custom)
        cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
    Create a notification for this product.
    debian debian_linux Affected: 8.0
        cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    Create a notification for this product.
    netapp steelstore_cloud_integrated_storage Affected: *
        cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle agile_plm Affected: 9.3.6
        cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle autovue_for_agile_product_lifecycle_management Affected: 21.0.2
        cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle banking_digital_experience Affected: 18.1 , ≤ 18.3 (custom)
    Affected: 19.1 , ≤ 19.2 (custom)
    Affected: 20.1
    Affected: 2.4.0 , ≤ 2.9.0 (custom)
        cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_calendar_server Affected: 8.0.0.4.0 , ≤ 8.0.0.5.0 (custom)
        cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_diameter_signaling_router Affected: 8.0.0 , ≤ 8.2.2 (custom)
        cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_element_manager Affected: 8.2.0 , ≤ 8.2.2 (custom)
        cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_evolved_communications_application_server Affected: 7.1
        cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_instant_messaging_server Affected: 10.0.1.4.0
        cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_network_charging_and_control Affected: 6.0.1
        cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_network_charging_and_control Affected: 12.0.0 , ≤ 12.0.3 (custom)
        cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_session_route_manager Affected: 8.2.0 , ≤ 8.2.2 (custom)
        cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle enterprise_manager_base_platform Affected: 13.3.0.0 , ≤ 13.4.0.0 (custom)
        cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle financial_services_analytical_applications_infrastructure Affected: 8.0.6 , ≤ 8.1.0 (custom)
        cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle financial_services_institutional_performance_analytics Affected: 8.0.6
    Affected: 8.0.7
    Affected: 8.1.0
        cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle financial_services_price_creation_and_discovery Affected: 8.0.6 , ≤ 8.0.7 (custom)
        cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle financial_services_retail_customer_analytics Affected: 8.0.6
        cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle global_lifecycle_management_opatch Affected: 0 , ≤ 12.2.0.1.20 (custom)
        cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle insurance_policy_administration_j2ee Affected: 11.0.2.25 , < 11.1.0.15 (custom)
        cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle jd_edwards_enterpriseone_orchestrator Affected: 0 , ≤ 9.2.4.2 (custom)
        cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle primavera_unifier Affected: 16.1
    Affected: 16.2
    Affected: 17.7 , ≤ 17.12 (custom)
    Affected: 18.8
    Affected: 19.12
        cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle retail_merchandising_system Affected: 15.0
        cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle retail_sales_audit Affected: 14.1
        cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle retail_service_backbone Affected: 14.1
    Affected: 15.0
    Affected: 16.0
        cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle retail_xstore_point_of_service Affected: 15.0 , ≤ 19.0 (custom)
        cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle weblogic_server Affected: 12.2.1.3.0 , ≤ 12.2.1.4.0 (custom)
        cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jackson-databind",
                "vendor": "fasterxml",
                "versions": [
                  {
                    "lessThan": "2.9.10.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "debian_linux",
                "vendor": "debian",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "steelstore_cloud_integrated_storage",
                "vendor": "netapp",
                "versions": [
                  {
                    "status": "affected",
                    "version": "*"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "agile_plm",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "9.3.6"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "autovue_for_agile_product_lifecycle_management",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "21.0.2"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "banking_digital_experience",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "18.3",
                    "status": "affected",
                    "version": "18.1",
                    "versionType": "custom"
                  },
                  {
                    "lessThanOrEqual": "19.2",
                    "status": "affected",
                    "version": "19.1",
                    "versionType": "custom"
                  },
                  {
                    "status": "affected",
                    "version": "20.1"
                  },
                  {
                    "lessThanOrEqual": "2.9.0",
                    "status": "affected",
                    "version": "2.4.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_calendar_server",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.0.0.5.0",
                    "status": "affected",
                    "version": "8.0.0.4.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_diameter_signaling_router",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.2.2",
                    "status": "affected",
                    "version": "8.0.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_element_manager",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.2.2",
                    "status": "affected",
                    "version": "8.2.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_evolved_communications_application_server",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "7.1"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_instant_messaging_server",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "10.0.1.4.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_network_charging_and_control",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "6.0.1"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_network_charging_and_control",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "12.0.3",
                    "status": "affected",
                    "version": "12.0.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_session_route_manager",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.2.2",
                    "status": "affected",
                    "version": "8.2.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "enterprise_manager_base_platform",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "13.4.0.0",
                    "status": "affected",
                    "version": "13.3.0.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "financial_services_analytical_applications_infrastructure",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.1.0",
                    "status": "affected",
                    "version": "8.0.6",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "financial_services_institutional_performance_analytics",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.0.6"
                  },
                  {
                    "status": "affected",
                    "version": "8.0.7"
                  },
                  {
                    "status": "affected",
                    "version": "8.1.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "financial_services_price_creation_and_discovery",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.0.7",
                    "status": "affected",
                    "version": "8.0.6",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "financial_services_retail_customer_analytics",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.0.6"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "global_lifecycle_management_opatch",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "12.2.0.1.20",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "insurance_policy_administration_j2ee",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThan": "11.1.0.15",
                    "status": "affected",
                    "version": "11.0.2.25",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jd_edwards_enterpriseone_orchestrator",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "9.2.4.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "primavera_unifier",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "16.1"
                  },
                  {
                    "status": "affected",
                    "version": "16.2"
                  },
                  {
                    "lessThanOrEqual": "17.12",
                    "status": "affected",
                    "version": "17.7",
                    "versionType": "custom"
                  },
                  {
                    "status": "affected",
                    "version": "18.8"
                  },
                  {
                    "status": "affected",
                    "version": "19.12"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "retail_merchandising_system",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "15.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "retail_sales_audit",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "14.1"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "retail_service_backbone",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "14.1"
                  },
                  {
                    "status": "affected",
                    "version": "15.0"
                  },
                  {
                    "status": "affected",
                    "version": "16.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "retail_xstore_point_of_service",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "19.0",
                    "status": "affected",
                    "version": "15.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "weblogic_server",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "12.2.1.4.0",
                    "status": "affected",
                    "version": "12.2.1.3.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-36180",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-25T04:00:49.885173Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:12:24.082Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:23:09.529Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/FasterXML/jackson-databind/issues/3004"
              },
              {
                "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:20:30.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/FasterXML/jackson-databind/issues/3004"
            },
            {
              "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-36180",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
                  "refsource": "MISC",
                  "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
                },
                {
                  "name": "https://github.com/FasterXML/jackson-databind/issues/3004",
                  "refsource": "MISC",
                  "url": "https://github.com/FasterXML/jackson-databind/issues/3004"
                },
                {
                  "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
                },
                {
                  "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-36180",
        "datePublished": "2021-01-06T22:30:31.000Z",
        "dateReserved": "2021-01-06T00:00:00.000Z",
        "dateUpdated": "2024-08-04T17:23:09.529Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36179 (GCVE-0-2020-36179)

    Vulnerability from nvd – Published: 2021-01-06 22:30 – Updated: 2024-08-04 17:23
    VLAI
    Summary
    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    fasterxml jackson-databind Affected: 0 , < 2.9.10.8 (custom)
        cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
    Create a notification for this product.
    debian debian_linux Affected: 8.0
        cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    Create a notification for this product.
    netapp steelstore_cloud_integrated_storage Affected: *
        cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle agile_plm Affected: 9.3.6
        cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle autovue_for_agile_product_lifecycle_management Affected: 21.0.2
        cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle banking_digital_experience Affected: 18.1 , ≤ 18.3 (custom)
    Affected: 19.1 , ≤ 19.2 (custom)
    Affected: 20.1
    Affected: 2.4.0 , ≤ 2.9.0 (custom)
        cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_calendar_server Affected: 8.0.0.4.0 , ≤ 8.0.0.5.0 (custom)
        cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_diameter_signaling_router Affected: 8.0.0 , ≤ 8.2.2 (custom)
        cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_element_manager Affected: 8.2.0 , ≤ 8.2.2 (custom)
        cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_evolved_communications_application_server Affected: 7.1
        cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_instant_messaging_server Affected: 10.0.1.4.0
        cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_network_charging_and_control Affected: 6.0.1
        cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_network_charging_and_control Affected: 12.0.0 , ≤ 12.0.3 (custom)
        cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_session_route_manager Affected: 8.2.0 , ≤ 8.2.2 (custom)
        cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle enterprise_manager_base_platform Affected: 13.3.0.0 , ≤ 13.4.0.0 (custom)
        cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle financial_services_analytical_applications_infrastructure Affected: 8.0.6 , ≤ 8.1.0 (custom)
        cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle financial_services_institutional_performance_analytics Affected: 8.0.6
    Affected: 8.0.7
    Affected: 8.1.0
        cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle financial_services_price_creation_and_discovery Affected: 8.0.6 , ≤ 8.0.7 (custom)
        cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle financial_services_retail_customer_analytics Affected: 8.0.6
        cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle global_lifecycle_management_opatch Affected: 0 , ≤ 12.2.0.1.20 (custom)
        cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle insurance_policy_administration_j2ee Affected: 11.0.2.25 , < 11.1.0.15 (custom)
        cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle jd_edwards_enterpriseone_orchestrator Affected: 0 , ≤ 9.2.4.2 (custom)
        cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle primavera_unifier Affected: 16.1
    Affected: 16.2
    Affected: 17.7 , ≤ 17.12 (custom)
    Affected: 18.8
    Affected: 19.12
        cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle retail_merchandising_system Affected: 15.0
        cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle retail_sales_audit Affected: 14.1
        cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle retail_service_backbone Affected: 14.1
    Affected: 15.0
    Affected: 16.0
        cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle retail_xstore_point_of_service Affected: 15.0 , ≤ 19.0 (custom)
        cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle weblogic_server Affected: 12.2.1.3.0 , ≤ 12.2.1.4.0 (custom)
        cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jackson-databind",
                "vendor": "fasterxml",
                "versions": [
                  {
                    "lessThan": "2.9.10.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "debian_linux",
                "vendor": "debian",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "steelstore_cloud_integrated_storage",
                "vendor": "netapp",
                "versions": [
                  {
                    "status": "affected",
                    "version": "*"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "agile_plm",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "9.3.6"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "autovue_for_agile_product_lifecycle_management",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "21.0.2"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "banking_digital_experience",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "18.3",
                    "status": "affected",
                    "version": "18.1",
                    "versionType": "custom"
                  },
                  {
                    "lessThanOrEqual": "19.2",
                    "status": "affected",
                    "version": "19.1",
                    "versionType": "custom"
                  },
                  {
                    "status": "affected",
                    "version": "20.1"
                  },
                  {
                    "lessThanOrEqual": "2.9.0",
                    "status": "affected",
                    "version": "2.4.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_calendar_server",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.0.0.5.0",
                    "status": "affected",
                    "version": "8.0.0.4.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_diameter_signaling_router",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.2.2",
                    "status": "affected",
                    "version": "8.0.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_element_manager",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.2.2",
                    "status": "affected",
                    "version": "8.2.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_evolved_communications_application_server",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "7.1"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_instant_messaging_server",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "10.0.1.4.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_network_charging_and_control",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "6.0.1"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_network_charging_and_control",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "12.0.3",
                    "status": "affected",
                    "version": "12.0.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_session_route_manager",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.2.2",
                    "status": "affected",
                    "version": "8.2.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "enterprise_manager_base_platform",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "13.4.0.0",
                    "status": "affected",
                    "version": "13.3.0.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "financial_services_analytical_applications_infrastructure",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.1.0",
                    "status": "affected",
                    "version": "8.0.6",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "financial_services_institutional_performance_analytics",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.0.6"
                  },
                  {
                    "status": "affected",
                    "version": "8.0.7"
                  },
                  {
                    "status": "affected",
                    "version": "8.1.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "financial_services_price_creation_and_discovery",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.0.7",
                    "status": "affected",
                    "version": "8.0.6",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "financial_services_retail_customer_analytics",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.0.6"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "global_lifecycle_management_opatch",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "12.2.0.1.20",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "insurance_policy_administration_j2ee",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThan": "11.1.0.15",
                    "status": "affected",
                    "version": "11.0.2.25",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jd_edwards_enterpriseone_orchestrator",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "9.2.4.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "primavera_unifier",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "16.1"
                  },
                  {
                    "status": "affected",
                    "version": "16.2"
                  },
                  {
                    "lessThanOrEqual": "17.12",
                    "status": "affected",
                    "version": "17.7",
                    "versionType": "custom"
                  },
                  {
                    "status": "affected",
                    "version": "18.8"
                  },
                  {
                    "status": "affected",
                    "version": "19.12"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "retail_merchandising_system",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "15.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "retail_sales_audit",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "14.1"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "retail_service_backbone",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "14.1"
                  },
                  {
                    "status": "affected",
                    "version": "15.0"
                  },
                  {
                    "status": "affected",
                    "version": "16.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "retail_xstore_point_of_service",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "19.0",
                    "status": "affected",
                    "version": "15.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "weblogic_server",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "12.2.1.4.0",
                    "status": "affected",
                    "version": "12.2.1.3.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-36179",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-25T04:00:53.989419Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:12:24.525Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:23:09.285Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/FasterXML/jackson-databind/issues/3004"
              },
              {
                "name": "[spark-issues] 20210115 [jira] [Created] (SPARK-34124) Upgrade jackson version to fix CVE-2020-36179 in Spark 2.4",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436%40%3Cissues.spark.apache.org%3E"
              },
              {
                "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:20:19.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/FasterXML/jackson-databind/issues/3004"
            },
            {
              "name": "[spark-issues] 20210115 [jira] [Created] (SPARK-34124) Upgrade jackson version to fix CVE-2020-36179 in Spark 2.4",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436%40%3Cissues.spark.apache.org%3E"
            },
            {
              "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-36179",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
                  "refsource": "MISC",
                  "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
                },
                {
                  "name": "https://github.com/FasterXML/jackson-databind/issues/3004",
                  "refsource": "MISC",
                  "url": "https://github.com/FasterXML/jackson-databind/issues/3004"
                },
                {
                  "name": "[spark-issues] 20210115 [jira] [Created] (SPARK-34124) Upgrade jackson version to fix CVE-2020-36179 in Spark 2.4",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436@%3Cissues.spark.apache.org%3E"
                },
                {
                  "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
                },
                {
                  "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-36179",
        "datePublished": "2021-01-06T22:30:38.000Z",
        "dateReserved": "2021-01-06T00:00:00.000Z",
        "dateUpdated": "2024-08-04T17:23:09.285Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36189 (GCVE-0-2020-36189)

    Vulnerability from nvd – Published: 2021-01-06 22:29 – Updated: 2024-08-04 17:23
    VLAI
    Summary
    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:23:09.508Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/FasterXML/jackson-databind/issues/2996"
              },
              {
                "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:22:16.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/FasterXML/jackson-databind/issues/2996"
            },
            {
              "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-36189",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
                  "refsource": "MISC",
                  "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
                },
                {
                  "name": "https://github.com/FasterXML/jackson-databind/issues/2996",
                  "refsource": "MISC",
                  "url": "https://github.com/FasterXML/jackson-databind/issues/2996"
                },
                {
                  "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
                },
                {
                  "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-36189",
        "datePublished": "2021-01-06T22:29:28.000Z",
        "dateReserved": "2021-01-06T00:00:00.000Z",
        "dateUpdated": "2024-08-04T17:23:09.508Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36188 (GCVE-0-2020-36188)

    Vulnerability from nvd – Published: 2021-01-06 22:29 – Updated: 2024-08-04 17:23
    VLAI
    Summary
    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:23:09.309Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/FasterXML/jackson-databind/issues/2996"
              },
              {
                "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:22:05.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/FasterXML/jackson-databind/issues/2996"
            },
            {
              "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-36188",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
                  "refsource": "MISC",
                  "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
                },
                {
                  "name": "https://github.com/FasterXML/jackson-databind/issues/2996",
                  "refsource": "MISC",
                  "url": "https://github.com/FasterXML/jackson-databind/issues/2996"
                },
                {
                  "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
                },
                {
                  "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-36188",
        "datePublished": "2021-01-06T22:29:36.000Z",
        "dateReserved": "2021-01-06T00:00:00.000Z",
        "dateUpdated": "2024-08-04T17:23:09.309Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36187 (GCVE-0-2020-36187)

    Vulnerability from nvd – Published: 2021-01-06 22:29 – Updated: 2024-08-04 17:23
    VLAI
    Summary
    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:23:09.266Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/FasterXML/jackson-databind/issues/2997"
              },
              {
                "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:21:52.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/FasterXML/jackson-databind/issues/2997"
            },
            {
              "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-36187",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
                  "refsource": "MISC",
                  "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
                },
                {
                  "name": "https://github.com/FasterXML/jackson-databind/issues/2997",
                  "refsource": "MISC",
                  "url": "https://github.com/FasterXML/jackson-databind/issues/2997"
                },
                {
                  "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
                },
                {
                  "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-36187",
        "datePublished": "2021-01-06T22:29:44.000Z",
        "dateReserved": "2021-01-06T00:00:00.000Z",
        "dateUpdated": "2024-08-04T17:23:09.266Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36186 (GCVE-0-2020-36186)

    Vulnerability from nvd – Published: 2021-01-06 22:29 – Updated: 2024-08-04 17:23
    VLAI
    Summary
    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:23:09.443Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/FasterXML/jackson-databind/issues/2997"
              },
              {
                "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:21:41.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/FasterXML/jackson-databind/issues/2997"
            },
            {
              "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-36186",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
                  "refsource": "MISC",
                  "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
                },
                {
                  "name": "https://github.com/FasterXML/jackson-databind/issues/2997",
                  "refsource": "MISC",
                  "url": "https://github.com/FasterXML/jackson-databind/issues/2997"
                },
                {
                  "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
                },
                {
                  "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-36186",
        "datePublished": "2021-01-06T22:29:51.000Z",
        "dateReserved": "2021-01-06T00:00:00.000Z",
        "dateUpdated": "2024-08-04T17:23:09.443Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36185 (GCVE-0-2020-36185)

    Vulnerability from nvd – Published: 2021-01-06 22:29 – Updated: 2024-08-04 17:23
    VLAI
    Summary
    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:23:09.472Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/FasterXML/jackson-databind/issues/2998"
              },
              {
                "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:21:28.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/FasterXML/jackson-databind/issues/2998"
            },
            {
              "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-36185",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
                  "refsource": "MISC",
                  "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
                },
                {
                  "name": "https://github.com/FasterXML/jackson-databind/issues/2998",
                  "refsource": "MISC",
                  "url": "https://github.com/FasterXML/jackson-databind/issues/2998"
                },
                {
                  "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
                },
                {
                  "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-36185",
        "datePublished": "2021-01-06T22:29:59.000Z",
        "dateReserved": "2021-01-06T00:00:00.000Z",
        "dateUpdated": "2024-08-04T17:23:09.472Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36184 (GCVE-0-2020-36184)

    Vulnerability from nvd – Published: 2021-01-06 22:30 – Updated: 2024-08-04 17:23
    VLAI
    Summary
    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    fasterxml jackson-databind Affected: 0 , < 2.9.10.8 (custom)
        cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
    Create a notification for this product.
    debian debian_linux Affected: 8.0
        cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    Create a notification for this product.
    netapp steelstore_cloud_integrated_storage Affected: *
        cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle agile_plm Affected: 9.3.6
        cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle autovue_for_agile_product_lifecycle_management Affected: 21.0.2
        cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle banking_digital_experience Affected: 18.1 , ≤ 18.3 (custom)
    Affected: 19.1 , ≤ 19.2 (custom)
    Affected: 20.1
    Affected: 2.4.0 , ≤ 2.9.0 (custom)
        cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_calendar_server Affected: 8.0.0.4.0 , ≤ 8.0.0.5.0 (custom)
        cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_diameter_signaling_router Affected: 8.0.0 , ≤ 8.2.2 (custom)
        cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_element_manager Affected: 8.2.0 , ≤ 8.2.2 (custom)
        cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_evolved_communications_application_server Affected: 7.1
        cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_instant_messaging_server Affected: 10.0.1.4.0
        cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_network_charging_and_control Affected: 6.0.1
        cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_network_charging_and_control Affected: 12.0.0 , ≤ 12.0.3 (custom)
        cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle communications_session_route_manager Affected: 8.2.0 , ≤ 8.2.2 (custom)
        cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle enterprise_manager_base_platform Affected: 13.3.0.0 , ≤ 13.4.0.0 (custom)
        cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle financial_services_analytical_applications_infrastructure Affected: 8.0.6 , ≤ 8.1.0 (custom)
        cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle financial_services_institutional_performance_analytics Affected: 8.0.6
    Affected: 8.0.7
    Affected: 8.1.0
        cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle financial_services_price_creation_and_discovery Affected: 8.0.6 , ≤ 8.0.7 (custom)
        cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle financial_services_retail_customer_analytics Affected: 8.0.6
        cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle global_lifecycle_management_opatch Affected: 0 , ≤ 12.2.0.1.20 (custom)
        cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle insurance_policy_administration_j2ee Affected: 11.0.2.25 , < 11.1.0.15 (custom)
        cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle jd_edwards_enterpriseone_orchestrator Affected: 0 , ≤ 9.2.4.2 (custom)
        cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle primavera_unifier Affected: 16.1
    Affected: 16.2
    Affected: 17.7 , ≤ 17.12 (custom)
    Affected: 18.8
    Affected: 19.12
        cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle retail_merchandising_system Affected: 15.0
        cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle retail_sales_audit Affected: 14.1
        cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle retail_service_backbone Affected: 14.1
    Affected: 15.0
    Affected: 16.0
        cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle retail_xstore_point_of_service Affected: 15.0 , ≤ 19.0 (custom)
        cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
    Create a notification for this product.
    oracle weblogic_server Affected: 12.2.1.3.0 , ≤ 12.2.1.4.0 (custom)
        cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jackson-databind",
                "vendor": "fasterxml",
                "versions": [
                  {
                    "lessThan": "2.9.10.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "debian_linux",
                "vendor": "debian",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "steelstore_cloud_integrated_storage",
                "vendor": "netapp",
                "versions": [
                  {
                    "status": "affected",
                    "version": "*"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "agile_plm",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "9.3.6"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "autovue_for_agile_product_lifecycle_management",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "21.0.2"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "banking_digital_experience",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "18.3",
                    "status": "affected",
                    "version": "18.1",
                    "versionType": "custom"
                  },
                  {
                    "lessThanOrEqual": "19.2",
                    "status": "affected",
                    "version": "19.1",
                    "versionType": "custom"
                  },
                  {
                    "status": "affected",
                    "version": "20.1"
                  },
                  {
                    "lessThanOrEqual": "2.9.0",
                    "status": "affected",
                    "version": "2.4.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_calendar_server",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.0.0.5.0",
                    "status": "affected",
                    "version": "8.0.0.4.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_diameter_signaling_router:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_diameter_signaling_router",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.2.2",
                    "status": "affected",
                    "version": "8.0.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_element_manager",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.2.2",
                    "status": "affected",
                    "version": "8.2.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_evolved_communications_application_server",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "7.1"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_instant_messaging_server",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "10.0.1.4.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_network_charging_and_control",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "6.0.1"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_network_charging_and_control",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "12.0.3",
                    "status": "affected",
                    "version": "12.0.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:communications_session_route_manager:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "communications_session_route_manager",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.2.2",
                    "status": "affected",
                    "version": "8.2.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "enterprise_manager_base_platform",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "13.4.0.0",
                    "status": "affected",
                    "version": "13.3.0.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "financial_services_analytical_applications_infrastructure",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.1.0",
                    "status": "affected",
                    "version": "8.0.6",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "financial_services_institutional_performance_analytics",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.0.6"
                  },
                  {
                    "status": "affected",
                    "version": "8.0.7"
                  },
                  {
                    "status": "affected",
                    "version": "8.1.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:financial_services_price_creation_and_discovery:8.0.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "financial_services_price_creation_and_discovery",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "8.0.7",
                    "status": "affected",
                    "version": "8.0.6",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:financial_services_retail_customer_analytics:8.0.6:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "financial_services_retail_customer_analytics",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "8.0.6"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "global_lifecycle_management_opatch",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "12.2.0.1.20",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "insurance_policy_administration_j2ee",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThan": "11.1.0.15",
                    "status": "affected",
                    "version": "11.0.2.25",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jd_edwards_enterpriseone_orchestrator",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "9.2.4.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "primavera_unifier",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "16.1"
                  },
                  {
                    "status": "affected",
                    "version": "16.2"
                  },
                  {
                    "lessThanOrEqual": "17.12",
                    "status": "affected",
                    "version": "17.7",
                    "versionType": "custom"
                  },
                  {
                    "status": "affected",
                    "version": "18.8"
                  },
                  {
                    "status": "affected",
                    "version": "19.12"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "retail_merchandising_system",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "15.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:retail_sales_audit:14.1:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "retail_sales_audit",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "14.1"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "retail_service_backbone",
                "vendor": "oracle",
                "versions": [
                  {
                    "status": "affected",
                    "version": "14.1"
                  },
                  {
                    "status": "affected",
                    "version": "15.0"
                  },
                  {
                    "status": "affected",
                    "version": "16.0"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "retail_xstore_point_of_service",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "19.0",
                    "status": "affected",
                    "version": "15.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "weblogic_server",
                "vendor": "oracle",
                "versions": [
                  {
                    "lessThanOrEqual": "12.2.1.4.0",
                    "status": "affected",
                    "version": "12.2.1.3.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-36184",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-25T04:00:50.943406Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:12:27.571Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:23:09.423Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/FasterXML/jackson-databind/issues/2998"
              },
              {
                "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:21:15.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/FasterXML/jackson-databind/issues/2998"
            },
            {
              "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-36184",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
                  "refsource": "MISC",
                  "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
                },
                {
                  "name": "https://github.com/FasterXML/jackson-databind/issues/2998",
                  "refsource": "MISC",
                  "url": "https://github.com/FasterXML/jackson-databind/issues/2998"
                },
                {
                  "name": "[debian-lts-announce] 20210424 [SECURITY] [DLA 2638-1] jackson-databind security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20210205-0005/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20210205-0005/"
                },
                {
                  "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-36184",
        "datePublished": "2021-01-06T22:30:07.000Z",
        "dateReserved": "2021-01-06T00:00:00.000Z",
        "dateUpdated": "2024-08-04T17:23:09.423Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-23307 (GCVE-0-2022-23307)

    Vulnerability from cvelistv5 – Published: 2022-01-18 15:25 – Updated: 2026-05-27 13:44
    VLAI
    Title
    A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.
    Summary
    CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Log4j 1.x Affected: 1.2.1 , < unspecified (custom)
    Affected: unspecified , ≤ 2.0-alpha1 (custom)
    Create a notification for this product.
    Credits
    @kingkk
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:36:20.396Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://logging.apache.org/log4j/1.2/index.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-23307",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T13:31:45.470568Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T13:44:43.452Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Log4j 1.x",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.2.1",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.0-alpha1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "@kingkk"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "other": "Critical"
                },
                "type": "unknown"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:49:30.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://logging.apache.org/log4j/1.2/index.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution.",
          "workarounds": [
            {
              "lang": "en",
              "value": "Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2022-23307",
              "STATE": "PUBLIC",
              "TITLE": "A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution."
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Log4j 1.x",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.2.1"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "2.0-alpha1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "@kingkk"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {
                "other": "Critical"
              }
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-502 Deserialization of Untrusted Data"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://logging.apache.org/log4j/1.2/index.html",
                  "refsource": "MISC",
                  "url": "https://logging.apache.org/log4j/1.2/index.html"
                },
                {
                  "name": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0."
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-23307",
        "datePublished": "2022-01-18T15:25:23.000Z",
        "dateReserved": "2022-01-17T00:00:00.000Z",
        "dateUpdated": "2026-05-27T13:44:43.452Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-23305 (GCVE-0-2022-23305)

    Vulnerability from cvelistv5 – Published: 2022-01-18 15:25 – Updated: 2026-05-27 13:40
    VLAI
    Title
    SQL injection in JDBC Appender in Apache Log4j V1
    Summary
    By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Log4j 1.x Affected: 1.2.1 , < unspecified (custom)
    Affected: unspecified , < 2.0-alpha1 (custom)
    Create a notification for this product.
    Credits
    Daniel Martin of NCC Group
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:36:20.421Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://logging.apache.org/log4j/1.2/index.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y"
              },
              {
                "name": "[oss-security] 20220118 CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/18/4"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20220217-0007/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-23305",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T13:32:51.484506Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T13:40:57.853Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Log4j 1.x",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.2.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0-alpha1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Daniel Martin of NCC Group"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "other": "high"
                },
                "type": "unknown"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:49:18.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://logging.apache.org/log4j/1.2/index.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y"
            },
            {
              "name": "[oss-security] 20220118 CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/18/4"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20220217-0007/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "SQL injection in JDBC Appender in Apache Log4j V1",
          "workarounds": [
            {
              "lang": "en",
              "value": "Users should upgrade to Log4j 2 or remove usage of the JDBCAppender from their configurations."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2022-23305",
              "STATE": "PUBLIC",
              "TITLE": "SQL injection in JDBC Appender in Apache Log4j V1"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Log4j 1.x",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.2.1"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.0-alpha1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Daniel Martin of NCC Group"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {
                "other": "high"
              }
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://logging.apache.org/log4j/1.2/index.html",
                  "refsource": "MISC",
                  "url": "https://logging.apache.org/log4j/1.2/index.html"
                },
                {
                  "name": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y"
                },
                {
                  "name": "[oss-security] 20220118 CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/18/4"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20220217-0007/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20220217-0007/"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "Users should upgrade to Log4j 2 or remove usage of the JDBCAppender from their configurations."
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-23305",
        "datePublished": "2022-01-18T15:25:22.000Z",
        "dateReserved": "2022-01-17T00:00:00.000Z",
        "dateUpdated": "2026-05-27T13:40:57.853Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-23302 (GCVE-0-2022-23302)

    Vulnerability from cvelistv5 – Published: 2022-01-18 15:25 – Updated: 2026-05-27 13:46
    VLAI
    Title
    Deserialization of untrusted data in JMSSink in Apache Log4j 1.x
    Summary
    JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Log4j 1.x Affected: 1.0.1 , < unspecified (custom)
    Affected: unspecified , < 2.0-alpha1 (custom)
    Create a notification for this product.
    Credits
    Eduardo' Vela, Maksim Shudrak and Jacob Butler from Google.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-07-07T17:47:01.136Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://www.vicarius.io/vsociety/posts/cve-2022-23302-detect-log4j-1217-vulnerability"
              },
              {
                "url": "https://www.vicarius.io/vsociety/posts/cve-2022-23302-mitigate-log4j-1217-vulnerability"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://logging.apache.org/log4j/1.2/index.html"
              },
              {
                "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20220217-0006/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container",
            "x_generator": {
              "engine": "ADPogram 0.0.1"
            }
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-23302",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T13:40:24.478659Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T13:46:05.384Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Log4j 1.x",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "1.0.1",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2.0-alpha1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Eduardo\u0027 Vela, Maksim Shudrak and Jacob Butler from Google."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "other": "high"
                },
                "type": "unknown"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:49:03.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://logging.apache.org/log4j/1.2/index.html"
            },
            {
              "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20220217-0006/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
          "workarounds": [
            {
              "lang": "en",
              "value": "Users should upgrade to Log4j 2 or remove usage of the JMSSink from their configurations."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2022-23302",
              "STATE": "PUBLIC",
              "TITLE": "Deserialization of untrusted data in JMSSink in Apache Log4j 1.x"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Log4j 1.x",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "1.0.1"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.0-alpha1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Eduardo\u0027 Vela, Maksim Shudrak and Jacob Butler from Google."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {
                "other": "high"
              }
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-502 Deserialization of Untrusted Data"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w"
                },
                {
                  "name": "https://logging.apache.org/log4j/1.2/index.html",
                  "refsource": "MISC",
                  "url": "https://logging.apache.org/log4j/1.2/index.html"
                },
                {
                  "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20220217-0006/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20220217-0006/"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "Users should upgrade to Log4j 2 or remove usage of the JMSSink from their configurations."
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-23302",
        "datePublished": "2022-01-18T15:25:20.000Z",
        "dateReserved": "2022-01-16T00:00:00.000Z",
        "dateUpdated": "2026-05-27T13:46:05.384Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-44832 (GCVE-0-2021-44832)

    Vulnerability from cvelistv5 – Published: 2021-12-28 19:35 – Updated: 2026-05-29 18:53
    VLAI
    Title
    Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration
    Summary
    Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Log4j2 Affected: log4j-core , < 2.17.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:32:13.076Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_CISCO",
                  "x_transferred"
                ],
                "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://issues.apache.org/jira/browse/LOG4J2-3293"
              },
              {
                "name": "[oss-security] 20211228 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/12/28/1"
              },
              {
                "name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"
              },
              {
                "name": "FEDORA-2021-c6f471ce0f",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"
              },
              {
                "name": "FEDORA-2021-1bd9151bab",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20220104-0001/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 6.6,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-44832",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T18:53:35.535632Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T18:53:46.103Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Log4j2",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.13.0",
                      "status": "affected"
                    },
                    {
                      "at": "2.12.4",
                      "status": "unaffected"
                    },
                    {
                      "at": "2.4",
                      "status": "affected"
                    },
                    {
                      "at": "2.3.2",
                      "status": "unaffected"
                    },
                    {
                      "at": "2.0-beta7",
                      "status": "affected"
                    }
                  ],
                  "lessThan": "2.17.1",
                  "status": "affected",
                  "version": "log4j-core",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "other": "moderate"
                },
                "type": "unknown"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:41:33.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
              "tags": [
                "vendor-advisory",
                "x_refsource_CISCO"
              ],
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://issues.apache.org/jira/browse/LOG4J2-3293"
            },
            {
              "name": "[oss-security] 20211228 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/12/28/1"
            },
            {
              "name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"
            },
            {
              "name": "FEDORA-2021-c6f471ce0f",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"
            },
            {
              "name": "FEDORA-2021-1bd9151bab",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20220104-0001/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "source": {
            "defect": [
              "LOG4J2-3293",
              ""
            ],
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2021-12-27T00:00:00.000Z",
              "value": "reported"
            },
            {
              "lang": "en",
              "time": "2021-12-27T00:00:00.000Z",
              "value": "patch proposed, 2.17.1-rc1"
            },
            {
              "lang": "en",
              "time": "2021-12-28T00:00:00.000Z",
              "value": "fixed"
            },
            {
              "lang": "en",
              "time": "2021-12-28T00:00:00.000Z",
              "value": "public"
            }
          ],
          "title": "Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2021-44832",
              "STATE": "PUBLIC",
              "TITLE": "Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Log4j2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "log4j-core",
                                "version_value": "2.17.1"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_name": "log4j-core",
                                "version_value": "2.13.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "log4j-core",
                                "version_value": "2.12.4"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_name": "log4j-core",
                                "version_value": "2.4"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "log4j-core",
                                "version_value": "2.3.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_name": "log4j-core",
                                "version_value": "2.0-beta7"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {
                "other": "moderate"
              }
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "20211210 Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021",
                  "refsource": "CISCO",
                  "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
                },
                {
                  "name": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143"
                },
                {
                  "name": "https://issues.apache.org/jira/browse/LOG4J2-3293",
                  "refsource": "MISC",
                  "url": "https://issues.apache.org/jira/browse/LOG4J2-3293"
                },
                {
                  "name": "[oss-security] 20211228 CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2021/12/28/1"
                },
                {
                  "name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2870-1] apache-log4j2 security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00036.html"
                },
                {
                  "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf",
                  "refsource": "CONFIRM",
                  "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-784507.pdf"
                },
                {
                  "name": "FEDORA-2021-c6f471ce0f",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVV25FXL4FU5X6X5BSL7RLQ7T6F65MRA/"
                },
                {
                  "name": "FEDORA-2021-1bd9151bab",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T57MPJUW3MA6QGWZRTMCHHMMPQNVKGFC/"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20220104-0001/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20220104-0001/"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            },
            "source": {
              "defect": [
                "LOG4J2-3293",
                ""
              ],
              "discovery": "UNKNOWN"
            },
            "timeline": [
              {
                "lang": "en",
                "time": "2021-12-27T00:00:00.000Z",
                "value": "reported"
              },
              {
                "lang": "en",
                "time": "2021-12-27T00:00:00.000Z",
                "value": "patch proposed, 2.17.1-rc1"
              },
              {
                "lang": "en",
                "time": "2021-12-28T00:00:00.000Z",
                "value": "fixed"
              },
              {
                "lang": "en",
                "time": "2021-12-28T00:00:00.000Z",
                "value": "public"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2021-44832",
        "datePublished": "2021-12-28T19:35:11.000Z",
        "dateReserved": "2021-12-11T00:00:00.000Z",
        "dateUpdated": "2026-05-29T18:53:46.103Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-4104 (GCVE-0-2021-4104)

    Vulnerability from cvelistv5 – Published: 2021-12-14 00:00 – Updated: 2026-05-28 19:53
    VLAI
    Title
    Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
    Summary
    JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Log4j 1.x Affected: Apache Log4j 1.2 1.2.x
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:16:04.172Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2021-4104"
              },
              {
                "name": "VU#930724",
                "tags": [
                  "third-party-advisory",
                  "x_transferred"
                ],
                "url": "https://www.kb.cert.org/vuls/id/930724"
              },
              {
                "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20211223-0007/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              },
              {
                "name": "GLSA-202209-02",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202209-02"
              },
              {
                "name": "GLSA-202310-16",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202310-16"
              },
              {
                "name": "GLSA-202312-02",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202312-02"
              },
              {
                "name": "GLSA-202312-04",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202312-04"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-4104",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2023-12-20T16:29:18.701121Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T19:53:14.378Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Log4j 1.x",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "Apache Log4j 1.2 1.2.x"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-12-22T09:06:15.357Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
            },
            {
              "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126"
            },
            {
              "url": "https://access.redhat.com/security/cve/CVE-2021-4104"
            },
            {
              "name": "VU#930724",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.kb.cert.org/vuls/id/930724"
            },
            {
              "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20211223-0007/"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            },
            {
              "name": "GLSA-202209-02",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202209-02"
            },
            {
              "name": "GLSA-202310-16",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202310-16"
            },
            {
              "name": "GLSA-202312-02",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202312-02"
            },
            {
              "name": "GLSA-202312-04",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202312-04"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2021-4104",
        "datePublished": "2021-12-14T00:00:00.000Z",
        "dateReserved": "2021-12-13T00:00:00.000Z",
        "dateUpdated": "2026-05-28T19:53:14.378Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-29425 (GCVE-0-2021-29425)

    Vulnerability from cvelistv5 – Published: 2021-04-13 06:50 – Updated: 2024-08-03 22:02
    VLAI
    Title
    Possible limited path traversal vulnerabily in Apache Commons IO
    Summary
    In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
    Severity
    No CVSS data available.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    URL Tags
    https://issues.apache.org/jira/browse/IO-556 x_refsource_MISC
    https://lists.apache.org/thread.html/rc359823b550… x_refsource_MISC
    https://lists.apache.org/thread.html/rfd01af05bab… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r8efcbabde97… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r873d5ddafc0… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r0d73e2071d1… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r47ab6f68cbb… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/raa053846cae… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r8569a41d565… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rfa2f08b7c0c… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r1c2f4683c35… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r27b1eedda37… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/ra8ef65aedc0… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r523a6ffad58… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rbebd3e19651… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r2bc986a0704… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r2721aba31a8… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r345330b7858… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rad4ae544747… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r808be7d93b1… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rc65f9bc679f… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rc2dd3204260… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r2df50af2641… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r8bfc7235e6b… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r92ea904f4ba… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rfcd2c649c20… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r2345b49dbff… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r477c285126a… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rc10fa20ef4d… mailing-listx_refsource_MLIST
    https://lists.debian.org/debian-lts-announce/2021… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rca71a10ca53… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/re41e9967bee… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rd09d4ab3e32… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r01b4a1fcdf3… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/red3aea91040… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r20416f39ca7… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r86528f4b7d2… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/rc5f3df5316c… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r0bfa8f7921a… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r462db908acc… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r4050f9f6b42… mailing-listx_refsource_MLIST
    https://lists.apache.org/thread.html/r5149f78be26… mailing-listx_refsource_MLIST
    https://www.oracle.com/security-alerts/cpuoct2021.html x_refsource_MISC
    https://www.oracle.com/security-alerts/cpujan2022.html x_refsource_MISC
    https://www.oracle.com/security-alerts/cpuapr2022.html x_refsource_MISC
    https://security.netapp.com/advisory/ntap-2022021… x_refsource_CONFIRM
    https://www.oracle.com/security-alerts/cpujul2022.html x_refsource_MISC
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache Commons IO Affected: Apache Commons IO 2.2
    Affected: Apache Commons IO 2.3
    Affected: Apache Commons IO 2.4
    Affected: Apache Commons IO 2.5
    Affected: Apache Commons IO 2.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T22:02:51.887Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://issues.apache.org/jira/browse/IO-556"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
              },
              {
                "name": "[commons-dev] 20210414 Re: [all] OSS Fuzz",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330%40%3Cdev.commons.apache.org%3E"
              },
              {
                "name": "[commons-dev] 20210415 Re: [all] OSS Fuzz",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31%40%3Cdev.commons.apache.org%3E"
              },
              {
                "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] lhotari opened a new pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04%40%3Ccommits.pulsar.apache.org%3E"
              },
              {
                "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] merlimat merged pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436%40%3Ccommits.pulsar.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210427 [jira] [Closed] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210427 [jira] [Created] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210427 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210427 [jira] [Updated] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[pulsar-commits] 20210429 [pulsar] branch branch-2.7 updated: [Security] Upgrade commons-io to address CVE-2021-29425 (#10287)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71%40%3Ccommits.pulsar.apache.org%3E"
              },
              {
                "name": "[myfaces-dev] 20210504 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #808: build: CVE fix",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34%40%3Cdev.myfaces.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210518 [jira] [Created] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210518 [jira] [Commented] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210518 [jira] [Assigned] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210518 [jira] [Updated] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[kafka-users] 20210617 vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E"
              },
              {
                "name": "[creadur-dev] 20210621 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a%40%3Cdev.creadur.apache.org%3E"
              },
              {
                "name": "[commons-user] 20210709 commons-fileupload dependency and CVE",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a%40%3Cuser.commons.apache.org%3E"
              },
              {
                "name": "[commons-user] 20210709 Re: commons-fileupload dependency and CVE",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa%40%3Cuser.commons.apache.org%3E"
              },
              {
                "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0%40%3Cpluto-dev.portals.apache.org%3E"
              },
              {
                "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80%40%3Cpluto-dev.portals.apache.org%3E"
              },
              {
                "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-789 Upgrade to commons-io-2.7 due to CVE-2021-29425",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e%40%3Cpluto-scm.portals.apache.org%3E"
              },
              {
                "name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29%40%3Cissues.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg opened a new pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-dev] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d%40%3Cdev.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-issues] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2%40%3Cissues.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210806 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[debian-lts-announce] 20210812 [SECURITY] [DLA 2741-1] commons-io security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html"
              },
              {
                "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-notifications] 20210901 [GitHub] [zookeeper] ztzg closed pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046%40%3Cnotifications.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-commits] 20210901 [zookeeper] branch master updated: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2%40%3Ccommits.zookeeper.apache.org%3E"
              },
              {
                "name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b%40%3Cissues.zookeeper.apache.org%3E"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20220210-0004/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Commons IO",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "Apache Commons IO 2.2"
                },
                {
                  "status": "affected",
                  "version": "Apache Commons IO 2.3"
                },
                {
                  "status": "affected",
                  "version": "Apache Commons IO 2.4"
                },
                {
                  "status": "affected",
                  "version": "Apache Commons IO 2.5"
                },
                {
                  "status": "affected",
                  "version": "Apache Commons IO 2.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-25T16:27:07.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://issues.apache.org/jira/browse/IO-556"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
            },
            {
              "name": "[commons-dev] 20210414 Re: [all] OSS Fuzz",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330%40%3Cdev.commons.apache.org%3E"
            },
            {
              "name": "[commons-dev] 20210415 Re: [all] OSS Fuzz",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31%40%3Cdev.commons.apache.org%3E"
            },
            {
              "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] lhotari opened a new pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04%40%3Ccommits.pulsar.apache.org%3E"
            },
            {
              "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] merlimat merged pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436%40%3Ccommits.pulsar.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210427 [jira] [Closed] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210427 [jira] [Created] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210427 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210427 [jira] [Updated] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[pulsar-commits] 20210429 [pulsar] branch branch-2.7 updated: [Security] Upgrade commons-io to address CVE-2021-29425 (#10287)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71%40%3Ccommits.pulsar.apache.org%3E"
            },
            {
              "name": "[myfaces-dev] 20210504 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #808: build: CVE fix",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34%40%3Cdev.myfaces.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210518 [jira] [Created] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210518 [jira] [Commented] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210518 [jira] [Assigned] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210518 [jira] [Updated] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[kafka-users] 20210617 vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E"
            },
            {
              "name": "[creadur-dev] 20210621 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a%40%3Cdev.creadur.apache.org%3E"
            },
            {
              "name": "[commons-user] 20210709 commons-fileupload dependency and CVE",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a%40%3Cuser.commons.apache.org%3E"
            },
            {
              "name": "[commons-user] 20210709 Re: commons-fileupload dependency and CVE",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa%40%3Cuser.commons.apache.org%3E"
            },
            {
              "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0%40%3Cpluto-dev.portals.apache.org%3E"
            },
            {
              "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80%40%3Cpluto-dev.portals.apache.org%3E"
            },
            {
              "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-789 Upgrade to commons-io-2.7 due to CVE-2021-29425",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e%40%3Cpluto-scm.portals.apache.org%3E"
            },
            {
              "name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29%40%3Cissues.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg opened a new pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-dev] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d%40%3Cdev.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-issues] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2%40%3Cissues.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210806 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[debian-lts-announce] 20210812 [SECURITY] [DLA 2741-1] commons-io security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html"
            },
            {
              "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-notifications] 20210901 [GitHub] [zookeeper] ztzg closed pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046%40%3Cnotifications.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-commits] 20210901 [zookeeper] branch master updated: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2%40%3Ccommits.zookeeper.apache.org%3E"
            },
            {
              "name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b%40%3Cissues.zookeeper.apache.org%3E"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20220210-0004/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ],
          "source": {
            "defect": [
              "IO-556",
              "IO-559"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Possible limited path traversal vulnerabily in Apache Commons IO",
          "workarounds": [
            {
              "lang": "en",
              "value": "Neither the method in question (FileNameUtils.normalize) nor any methods, that invoke it, do actually access any files. There\u0027s only a string returned, from which a path can be constructed. In other words, a possible workaround would be not passing any unsafe input to FileNameUtils.normalize."
            },
            {
              "lang": "en",
              "value": "Upgrade to Apache Commons IO 2.7, or later, where the same method returns the value null, as an indication of \"invalid input\"."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2021-29425",
              "STATE": "PUBLIC",
              "TITLE": "Possible limited path traversal vulnerabily in Apache Commons IO"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache Commons IO",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_name": "Apache Commons IO",
                                "version_value": "2.2"
                              },
                              {
                                "version_affected": "=",
                                "version_name": "Apache Commons IO",
                                "version_value": "2.3"
                              },
                              {
                                "version_affected": "=",
                                "version_name": "Apache Commons IO",
                                "version_value": "2.4"
                              },
                              {
                                "version_affected": "=",
                                "version_name": "Apache Commons IO",
                                "version_value": "2.5"
                              },
                              {
                                "version_affected": "=",
                                "version_name": "Apache Commons IO",
                                "version_value": "2.6"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://issues.apache.org/jira/browse/IO-556",
                  "refsource": "MISC",
                  "url": "https://issues.apache.org/jira/browse/IO-556"
                },
                {
                  "name": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"
                },
                {
                  "name": "[commons-dev] 20210414 Re: [all] OSS Fuzz",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E"
                },
                {
                  "name": "[commons-dev] 20210415 Re: [all] OSS Fuzz",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E"
                },
                {
                  "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] lhotari opened a new pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E"
                },
                {
                  "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] merlimat merged pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210427 [jira] [Closed] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210427 [jira] [Created] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210427 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210427 [jira] [Updated] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[pulsar-commits] 20210429 [pulsar] branch branch-2.7 updated: [Security] Upgrade commons-io to address CVE-2021-29425 (#10287)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71@%3Ccommits.pulsar.apache.org%3E"
                },
                {
                  "name": "[myfaces-dev] 20210504 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #808: build: CVE fix",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210518 [jira] [Created] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210518 [jira] [Commented] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210518 [jira] [Assigned] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210518 [jira] [Updated] (WHISKER-19) Update commons-io to fix CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[kafka-users] 20210617 vulnerabilities",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E"
                },
                {
                  "name": "[creadur-dev] 20210621 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a@%3Cdev.creadur.apache.org%3E"
                },
                {
                  "name": "[commons-user] 20210709 commons-fileupload dependency and CVE",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a@%3Cuser.commons.apache.org%3E"
                },
                {
                  "name": "[commons-user] 20210709 Re: commons-fileupload dependency and CVE",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa@%3Cuser.commons.apache.org%3E"
                },
                {
                  "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0@%3Cpluto-dev.portals.apache.org%3E"
                },
                {
                  "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80@%3Cpluto-dev.portals.apache.org%3E"
                },
                {
                  "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-789 Upgrade to commons-io-2.7 due to CVE-2021-29425",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E"
                },
                {
                  "name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg opened a new pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-dev] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d@%3Cdev.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-issues] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2@%3Cissues.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210806 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[debian-lts-announce] 20210812 [SECURITY] [DLA 2741-1] commons-io security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html"
                },
                {
                  "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-notifications] 20210901 [GitHub] [zookeeper] ztzg closed pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-commits] 20210901 [zookeeper] branch master updated: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E"
                },
                {
                  "name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6",
                  "refsource": "MLIST",
                  "url": "https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b@%3Cissues.zookeeper.apache.org%3E"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20220210-0004/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20220210-0004/"
                },
                {
                  "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
                }
              ]
            },
            "source": {
              "defect": [
                "IO-556",
                "IO-559"
              ],
              "discovery": "UNKNOWN"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "Neither the method in question (FileNameUtils.normalize) nor any methods, that invoke it, do actually access any files. There\u0027s only a string returned, from which a path can be constructed. In other words, a possible workaround would be not passing any unsafe input to FileNameUtils.normalize."
              },
              {
                "lang": "en",
                "value": "Upgrade to Apache Commons IO 2.7, or later, where the same method returns the value null, as an indication of \"invalid input\"."
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2021-29425",
        "datePublished": "2021-04-13T06:50:12.000Z",
        "dateReserved": "2021-03-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T22:02:51.887Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-28041 (GCVE-0-2021-28041)

    Vulnerability from cvelistv5 – Published: 2021-03-05 19:07 – Updated: 2024-08-03 21:33
    VLAI
    Summary
    ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:33:17.327Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.openssh.com/security.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2021/03/03/1"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.openssh.com/txt/release-8.5"
              },
              {
                "name": "FEDORA-2021-f68a5a75ba",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXST2CML2MWY3PNVUXX7FFJE3ATJMNVZ/"
              },
              {
                "name": "GLSA-202105-35",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202105-35"
              },
              {
                "name": "FEDORA-2021-1d3698089d",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQWGII3LQR4AOTPPFXGMTYE7UDEWIUKI/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210416-0002/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-07-20T22:56:32.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.openssh.com/security.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.openwall.com/lists/oss-security/2021/03/03/1"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.openssh.com/txt/release-8.5"
            },
            {
              "name": "FEDORA-2021-f68a5a75ba",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXST2CML2MWY3PNVUXX7FFJE3ATJMNVZ/"
            },
            {
              "name": "GLSA-202105-35",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "https://security.gentoo.org/glsa/202105-35"
            },
            {
              "name": "FEDORA-2021-1d3698089d",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQWGII3LQR4AOTPPFXGMTYE7UDEWIUKI/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210416-0002/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2021-28041",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.openssh.com/security.html",
                  "refsource": "MISC",
                  "url": "https://www.openssh.com/security.html"
                },
                {
                  "name": "https://www.openwall.com/lists/oss-security/2021/03/03/1",
                  "refsource": "MISC",
                  "url": "https://www.openwall.com/lists/oss-security/2021/03/03/1"
                },
                {
                  "name": "https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db",
                  "refsource": "MISC",
                  "url": "https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db"
                },
                {
                  "name": "https://www.openssh.com/txt/release-8.5",
                  "refsource": "MISC",
                  "url": "https://www.openssh.com/txt/release-8.5"
                },
                {
                  "name": "FEDORA-2021-f68a5a75ba",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXST2CML2MWY3PNVUXX7FFJE3ATJMNVZ/"
                },
                {
                  "name": "GLSA-202105-35",
                  "refsource": "GENTOO",
                  "url": "https://security.gentoo.org/glsa/202105-35"
                },
                {
                  "name": "FEDORA-2021-1d3698089d",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQWGII3LQR4AOTPPFXGMTYE7UDEWIUKI/"
                },
                {
                  "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
                  "refsource": "MISC",
                  "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20210416-0002/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20210416-0002/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2021-28041",
        "datePublished": "2021-03-05T19:07:34.000Z",
        "dateReserved": "2021-03-05T00:00:00.000Z",
        "dateUpdated": "2024-08-03T21:33:17.327Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-11987 (GCVE-0-2020-11987)

    Vulnerability from cvelistv5 – Published: 2021-02-24 00:00 – Updated: 2025-11-03 19:25
    VLAI
    Summary
    Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
    Severity
    No CVSS data available.
    CWE
    • Information Disclosure
    Assigner
    Impacted products
    Vendor Product Version
    n/a Apache Batik Affected: Apache Batik 1.13
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T19:25:28.147Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://xmlgraphics.apache.org/security.html"
              },
              {
                "name": "[poi-dev] 20210304 [Bug 65166] New: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E"
              },
              {
                "name": "[poi-dev] 20210308 [Bug 65166] Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E"
              },
              {
                "name": "FEDORA-2021-65ff5f10e2",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/"
              },
              {
                "name": "FEDORA-2021-33a1b73e48",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              },
              {
                "name": "[debian-lts-announce] 20231014 [SECURITY] [DLA 3619-1] batik security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html"
              },
              {
                "name": "GLSA-202401-11",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202401-11"
              },
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00006.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache Batik",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "Apache Batik 1.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Information Disclosure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-07T11:06:30.228Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "url": "https://xmlgraphics.apache.org/security.html"
            },
            {
              "name": "[poi-dev] 20210304 [Bug 65166] New: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E"
            },
            {
              "name": "[poi-dev] 20210308 [Bug 65166] Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E"
            },
            {
              "name": "FEDORA-2021-65ff5f10e2",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/"
            },
            {
              "name": "FEDORA-2021-33a1b73e48",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            },
            {
              "name": "[debian-lts-announce] 20231014 [SECURITY] [DLA 3619-1] batik security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html"
            },
            {
              "name": "GLSA-202401-11",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202401-11"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2020-11987",
        "datePublished": "2021-02-24T00:00:00.000Z",
        "dateReserved": "2020-04-21T00:00:00.000Z",
        "dateUpdated": "2025-11-03T19:25:28.147Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-23336 (GCVE-0-2021-23336)

    Vulnerability from cvelistv5 – Published: 2021-02-15 12:15 – Updated: 2025-12-17 21:16
    VLAI
    Title
    Web Cache Poisoning
    Summary
    The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Web Cache Poisoning
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    Assigner
    References
    URL Tags
    https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-…
    https://github.com/python/cpython/pull/24297
    https://snyk.io/blog/cache-poisoning-in-popular-o…
    http://www.openwall.com/lists/oss-security/2021/02/19/4 mailing-list
    https://lists.debian.org/debian-lts-announce/2021… mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.apache.org/thread.html/rf9fa47ab664… mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.debian.org/debian-lts-announce/2021… mailing-list
    https://lists.debian.org/debian-lts-announce/2021… mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://security.gentoo.org/glsa/202104-04 vendor-advisory
    https://lists.apache.org/thread.html/ra8ce70088ba… mailing-list
    http://www.openwall.com/lists/oss-security/2021/05/01/2 mailing-list
    https://lists.apache.org/thread.html/rc005f4de9d9… mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://www.oracle.com/security-alerts/cpuApr2021.html
    https://security.netapp.com/advisory/ntap-2021032…
    https://www.oracle.com//security-alerts/cpujul2021.html
    https://www.oracle.com/security-alerts/cpuoct2021.html
    https://www.oracle.com/security-alerts/cpujan2022.html
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    Impacted products
    Vendor Product Version
    n/a python/cpython Affected: 0 , < unspecified (custom)
    Affected: unspecified , < 3.6.13 (custom)
    Affected: 3.7.0 , < unspecified (custom)
    Affected: unspecified , < 3.7.10 (custom)
    Affected: 3.8.0 , < unspecified (custom)
    Affected: unspecified , < 3.8.8 (custom)
    Affected: 3.9.0 , < unspecified (custom)
    Affected: unspecified , < 3.9.2 (custom)
    Date Public
    2021-02-15 00:00
    Credits
    Snyk Security Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:05:55.612Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/python/cpython/pull/24297"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/"
              },
              {
                "name": "[oss-security] 20210219 Django security releases: CVE-2021-23336: Web cache poisoning via ``django.utils.http.limited_parse_qsl()``",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/02/19/4"
              },
              {
                "name": "[debian-lts-announce] 20210219 [SECURITY] [DLA 2569-1] python-django security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html"
              },
              {
                "name": "FEDORA-2021-7547ad987f",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/"
              },
              {
                "name": "FEDORA-2021-f4fd9372c7",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/"
              },
              {
                "name": "FEDORA-2021-3352c1c802",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/"
              },
              {
                "name": "FEDORA-2021-7d3a9004e2",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/"
              },
              {
                "name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"
              },
              {
                "name": "FEDORA-2021-907f3bacae",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/"
              },
              {
                "name": "FEDORA-2021-7c1bb32d13",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/"
              },
              {
                "name": "FEDORA-2021-b1843407ca",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/"
              },
              {
                "name": "FEDORA-2021-2897f5366c",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/"
              },
              {
                "name": "FEDORA-2021-b326fcb83f",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/"
              },
              {
                "name": "FEDORA-2021-1bb399a5af",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/"
              },
              {
                "name": "FEDORA-2021-ef83e8525a",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/"
              },
              {
                "name": "FEDORA-2021-b76ede8f4d",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/"
              },
              {
                "name": "FEDORA-2021-309bc2e727",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/"
              },
              {
                "name": "FEDORA-2021-5a09621ebb",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/"
              },
              {
                "name": "FEDORA-2021-e22bb0e548",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/"
              },
              {
                "name": "FEDORA-2021-e525e48886",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/"
              },
              {
                "name": "[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html"
              },
              {
                "name": "[debian-lts-announce] 20210417 [SECURITY] [DLA 2628-1] python2.7 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html"
              },
              {
                "name": "FEDORA-2021-b6b6093b3a",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/"
              },
              {
                "name": "GLSA-202104-04",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202104-04"
              },
              {
                "name": "[airflow-users] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"
              },
              {
                "name": "[oss-security] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
              },
              {
                "name": "[announce] 20210501 Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E"
              },
              {
                "name": "FEDORA-2021-98720f3785",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/"
              },
              {
                "name": "FEDORA-2021-12df7f7382",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210326-0004/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "name": "[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-23336",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-17T21:16:05.233145Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-444",
                    "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-17T21:16:09.153Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "python/cpython",
              "vendor": "n/a",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.6.13",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "3.7.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.7.10",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "3.8.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.8.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "3.9.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.9.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Snyk Security Team"
            }
          ],
          "datePublic": "2021-02-15T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "exploitCodeMaturity": "PROOF_OF_CONCEPT",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "remediationLevel": "UNAVAILABLE",
                "reportConfidence": "CONFIRMED",
                "scope": "UNCHANGED",
                "temporalScore": 5.6,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H/E:P/RL:U/RC:C",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Web Cache Poisoning",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-20T21:06:13.958Z",
            "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
            "shortName": "snyk"
          },
          "references": [
            {
              "url": "https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933"
            },
            {
              "url": "https://github.com/python/cpython/pull/24297"
            },
            {
              "url": "https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/"
            },
            {
              "name": "[oss-security] 20210219 Django security releases: CVE-2021-23336: Web cache poisoning via ``django.utils.http.limited_parse_qsl()``",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/02/19/4"
            },
            {
              "name": "[debian-lts-announce] 20210219 [SECURITY] [DLA 2569-1] python-django security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html"
            },
            {
              "name": "FEDORA-2021-7547ad987f",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/"
            },
            {
              "name": "FEDORA-2021-f4fd9372c7",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/"
            },
            {
              "name": "FEDORA-2021-3352c1c802",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/"
            },
            {
              "name": "FEDORA-2021-7d3a9004e2",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/"
            },
            {
              "name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"
            },
            {
              "name": "FEDORA-2021-907f3bacae",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/"
            },
            {
              "name": "FEDORA-2021-7c1bb32d13",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/"
            },
            {
              "name": "FEDORA-2021-b1843407ca",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/"
            },
            {
              "name": "FEDORA-2021-2897f5366c",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/"
            },
            {
              "name": "FEDORA-2021-b326fcb83f",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/"
            },
            {
              "name": "FEDORA-2021-1bb399a5af",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/"
            },
            {
              "name": "FEDORA-2021-ef83e8525a",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/"
            },
            {
              "name": "FEDORA-2021-b76ede8f4d",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/"
            },
            {
              "name": "FEDORA-2021-309bc2e727",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/"
            },
            {
              "name": "FEDORA-2021-5a09621ebb",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/"
            },
            {
              "name": "FEDORA-2021-e22bb0e548",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/"
            },
            {
              "name": "FEDORA-2021-e525e48886",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/"
            },
            {
              "name": "[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html"
            },
            {
              "name": "[debian-lts-announce] 20210417 [SECURITY] [DLA 2628-1] python2.7 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html"
            },
            {
              "name": "FEDORA-2021-b6b6093b3a",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/"
            },
            {
              "name": "GLSA-202104-04",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202104-04"
            },
            {
              "name": "[airflow-users] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E"
            },
            {
              "name": "[oss-security] 20210501 CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
              "tags": [
                "mailing-list"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/05/01/2"
            },
            {
              "name": "[announce] 20210501 Apache Airflow CVE: CVE-2021-28359: Apache Airflow Reflected XSS via Origin Query Argument in URL",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E"
            },
            {
              "name": "FEDORA-2021-98720f3785",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/"
            },
            {
              "name": "FEDORA-2021-12df7f7382",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20210326-0004/"
            },
            {
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "name": "[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"
            }
          ],
          "title": "Web Cache Poisoning"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "assignerShortName": "snyk",
        "cveId": "CVE-2021-23336",
        "datePublished": "2021-02-15T12:15:20.788Z",
        "dateReserved": "2021-01-08T00:00:00.000Z",
        "dateUpdated": "2025-12-17T21:16:09.153Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-3177 (GCVE-0-2021-3177)

    Vulnerability from cvelistv5 – Published: 2021-01-19 00:00 – Updated: 2025-12-18 15:03
    VLAI
    Summary
    Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
    Assigner
    References
    URL Tags
    https://bugs.python.org/issue42938
    https://github.com/python/cpython/pull/24239
    https://python-security.readthedocs.io/vuln/ctype…
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://security.gentoo.org/glsa/202101-18 vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.apache.org/thread.html/rf9fa47ab664… mailing-list
    https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
    https://lists.debian.org/debian-lts-announce/2021… mailing-list
    https://www.oracle.com//security-alerts/cpujul2021.html
    https://news.ycombinator.com/item?id=26185005
    https://security.netapp.com/advisory/ntap-2021022…
    https://www.oracle.com/security-alerts/cpuoct2021.html
    https://www.oracle.com/security-alerts/cpujan2022.html
    https://lists.debian.org/debian-lts-announce/2022… mailing-list
    https://www.oracle.com/security-alerts/cpujul2022.html
    https://lists.debian.org/debian-lts-announce/2023… mailing-list
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T16:45:51.394Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://bugs.python.org/issue42938"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/python/cpython/pull/24239"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html"
              },
              {
                "name": "FEDORA-2021-faf88b9499",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MGSV6BJQLRQ6RKVUXK7JGU7TP4QFGQXC/"
              },
              {
                "name": "FEDORA-2021-cc3ff94cfc",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NQPARTLNSFQVMMQHPNBFOCOZOO3TMQNA/"
              },
              {
                "name": "GLSA-202101-18",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202101-18"
              },
              {
                "name": "FEDORA-2021-e3a5a74610",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7GZV74KM72O2PEJN2C4XP3V5Q5MZUOO/"
              },
              {
                "name": "FEDORA-2021-ced31f3f0c",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCFZMVRQUKCBQIG5F2CBVADK63NFSE4A/"
              },
              {
                "name": "FEDORA-2021-42ba9feb47",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRHOCQYX3QLDGDQGTWQAUUT2GGIZCZUO/"
              },
              {
                "name": "FEDORA-2021-076a2dccba",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXSMBHES3ANXXS2RSO5G6Q24BR4B2PWK/"
              },
              {
                "name": "FEDORA-2021-851c6e4e2d",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6XJAULOS5JVB2L67NCKKMJ5NTKZJBSD/"
              },
              {
                "name": "FEDORA-2021-66547ff92d",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDTZVGSXQ7HR7OCGSUHTRNTMBG43OMKU/"
              },
              {
                "name": "FEDORA-2021-17668e344a",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4KSYYWMGAKOA2JVCQA422OINT6CKQ7O/"
              },
              {
                "name": "FEDORA-2021-d5cde50865",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPE7SMXYUIWPOIZV4DQYXODRXMFX3C5E/"
              },
              {
                "name": "FEDORA-2021-7547ad987f",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/"
              },
              {
                "name": "FEDORA-2021-f4fd9372c7",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/"
              },
              {
                "name": "FEDORA-2021-3352c1c802",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/"
              },
              {
                "name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"
              },
              {
                "name": "FEDORA-2021-907f3bacae",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/"
              },
              {
                "name": "[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://news.ycombinator.com/item?id=26185005"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20210226-0003/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "name": "[debian-lts-announce] 20220212 [SECURITY] [DLA 2919-1] python2.7 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00013.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
              },
              {
                "name": "[debian-lts-announce] 20230524 [SECURITY] [DLA 3432-1] python2.7 security update",
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-3177",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-18T15:03:29.016940Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-120",
                    "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-18T15:03:34.545Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-24T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://bugs.python.org/issue42938"
            },
            {
              "url": "https://github.com/python/cpython/pull/24239"
            },
            {
              "url": "https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html"
            },
            {
              "name": "FEDORA-2021-faf88b9499",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MGSV6BJQLRQ6RKVUXK7JGU7TP4QFGQXC/"
            },
            {
              "name": "FEDORA-2021-cc3ff94cfc",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NQPARTLNSFQVMMQHPNBFOCOZOO3TMQNA/"
            },
            {
              "name": "GLSA-202101-18",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202101-18"
            },
            {
              "name": "FEDORA-2021-e3a5a74610",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7GZV74KM72O2PEJN2C4XP3V5Q5MZUOO/"
            },
            {
              "name": "FEDORA-2021-ced31f3f0c",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCFZMVRQUKCBQIG5F2CBVADK63NFSE4A/"
            },
            {
              "name": "FEDORA-2021-42ba9feb47",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRHOCQYX3QLDGDQGTWQAUUT2GGIZCZUO/"
            },
            {
              "name": "FEDORA-2021-076a2dccba",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXSMBHES3ANXXS2RSO5G6Q24BR4B2PWK/"
            },
            {
              "name": "FEDORA-2021-851c6e4e2d",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6XJAULOS5JVB2L67NCKKMJ5NTKZJBSD/"
            },
            {
              "name": "FEDORA-2021-66547ff92d",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDTZVGSXQ7HR7OCGSUHTRNTMBG43OMKU/"
            },
            {
              "name": "FEDORA-2021-17668e344a",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4KSYYWMGAKOA2JVCQA422OINT6CKQ7O/"
            },
            {
              "name": "FEDORA-2021-d5cde50865",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPE7SMXYUIWPOIZV4DQYXODRXMFX3C5E/"
            },
            {
              "name": "FEDORA-2021-7547ad987f",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/"
            },
            {
              "name": "FEDORA-2021-f4fd9372c7",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/"
            },
            {
              "name": "FEDORA-2021-3352c1c802",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/"
            },
            {
              "name": "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"
            },
            {
              "name": "FEDORA-2021-907f3bacae",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/"
            },
            {
              "name": "[debian-lts-announce] 20210405 [SECURITY] [DLA 2619-1] python3.5 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html"
            },
            {
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "url": "https://news.ycombinator.com/item?id=26185005"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20210226-0003/"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "name": "[debian-lts-announce] 20220212 [SECURITY] [DLA 2919-1] python2.7 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/02/msg00013.html"
            },
            {
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            },
            {
              "name": "[debian-lts-announce] 20230524 [SECURITY] [DLA 3432-1] python2.7 security update",
              "tags": [
                "mailing-list"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2021-3177",
        "datePublished": "2021-01-19T00:00:00.000Z",
        "dateReserved": "2021-01-19T00:00:00.000Z",
        "dateUpdated": "2025-12-18T15:03:34.545Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }