Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-8kwc-sxvr-skgp

Summary

Unsafe Deserialization in jackson-databind
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`.

Aliases

alias	CVE-2020-36186

alias	GHSA-v585-23hc-c647

Fixed_packages

url	pkg:deb/debian/jackson-databind@2.12.1-1?distro=trixie
purl	pkg:deb/debian/jackson-databind@2.12.1-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/jackson-databind@2.12.1-1%3Fdistro=trixie

url pkg:deb/debian/jackson-databind@2.12.1-1%2Bdeb11u1?distro=trixie

purl pkg:deb/debian/jackson-databind@2.12.1-1%2Bdeb11u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2841-dnfz-2qgm

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/jackson-databind@2.12.1-1%252Bdeb11u1%3Fdistro=trixie

url	pkg:deb/debian/jackson-databind@2.14.0-1?distro=trixie
purl	pkg:deb/debian/jackson-databind@2.14.0-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/jackson-databind@2.14.0-1%3Fdistro=trixie

url	pkg:deb/debian/jackson-databind@2.14.0%2Bds-1?distro=trixie
purl	pkg:deb/debian/jackson-databind@2.14.0%2Bds-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/jackson-databind@2.14.0%252Bds-1%3Fdistro=trixie

url	pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.8
purl	pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.8
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.8

Affected_packages

url pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.0

purl pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1uan-q6u8-affj

vulnerability	VCID-5887-pcyq-nkht

vulnerability	VCID-7svn-u8ub-4faw

vulnerability	VCID-8htk-33f4-4ufg

vulnerability	VCID-8kwc-sxvr-skgp

vulnerability	VCID-auzw-j1fc-jff8

vulnerability	VCID-fkct-tzwg-mkh8

vulnerability	VCID-kdkp-1ucy-w3g1

vulnerability	VCID-nz1v-4hgs-6yge

vulnerability	VCID-qx3m-tcqj-ukc2

vulnerability	VCID-r92s-4m4x-dqc7

vulnerability	VCID-rfqz-nf3z-v3a3

vulnerability	VCID-uzry-ts4t-fbc8

vulnerability	VCID-vnh3-bvyq-13d6

vulnerability	VCID-xqz3-k7ts-juck

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.0

References

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36186.json

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36186.json

reference_url

https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

reference_url

https://github.com/FasterXML/jackson-databind

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FasterXML/jackson-databind

reference_url

https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1

reference_url

https://github.com/FasterXML/jackson-databind/issues/2997

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FasterXML/jackson-databind/issues/2997

reference_url

https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html

reference_url

https://security.netapp.com/advisory/ntap-20210205-0005

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20210205-0005

reference_url

https://www.oracle.com/security-alerts/cpuApr2021.html

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuApr2021.html

reference_url

https://www.oracle.com/security-alerts/cpuapr2022.html

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuapr2022.html

reference_url

https://www.oracle.com/security-alerts/cpujan2022.html

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpujan2022.html

reference_url

https://www.oracle.com//security-alerts/cpujul2021.html

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com//security-alerts/cpujul2021.html

reference_url

https://www.oracle.com/security-alerts/cpujul2022.html

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpujul2022.html

reference_url

https://www.oracle.com/security-alerts/cpuoct2021.html

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuoct2021.html

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1913931
reference_id	1913931
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1913931

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-36186

reference_id

CVE-2020-36186

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-36186

reference_url	https://github.com/advisories/GHSA-v585-23hc-c647
reference_id	GHSA-v585-23hc-c647
reference_type
scores
url	https://github.com/advisories/GHSA-v585-23hc-c647

reference_url	https://access.redhat.com/errata/RHSA-2021:1230
reference_id	RHSA-2021:1230
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:1230

reference_url	https://access.redhat.com/errata/RHSA-2021:1515
reference_id	RHSA-2021:1515
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:1515

Weaknesses

cwe_id	502
name	Deserialization of Untrusted Data
description	The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 7.0 - 8.9

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8kwc-sxvr-skgp

Vulnerability Instance