VulnerableCode Package Details - pkg:rpm/redhat/eap7-jackson-databind@2.8.11.5-1.redhat

Search for packages

Vulnerability	Summary	Fixed by
VCID-16af-yv1z-xufy Aliases: CVE-2019-17531 GHSA-gjmw-vf9h-g25v	jackson-databind polymorphic typing issue A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.	There are no reported fixed by versions.
VCID-aqt5-2ffy-9bgs Aliases: CVE-2019-9515	HTTP/2: flood using SETTINGS frames results in unbounded memory growth	There are no reported fixed by versions.
VCID-dmv4-ydq9-a7eq Aliases: CVE-2019-9511	Excessive CPU usage in HTTP/2 with small window updates	There are no reported fixed by versions.
VCID-hbte-dsw2-y7ad Aliases: CVE-2019-9512 GHSA-hgr8-6h9x-f7q9	golang.org/x/net/http vulnerable to ping floods Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. ### Specific Go Packages Affected golang.org/x/net/http2	There are no reported fixed by versions.
VCID-n66u-b73u-zucb Aliases: CVE-2019-9514 GHSA-39qc-96h7-956f	golang.org/x/net/http vulnerable to a reset flood Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. Servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. ### Specific Go Packages Affected golang.org/x/net/http2	There are no reported fixed by versions.
VCID-nrk8-v4zp-6ubx Aliases: CVE-2020-1710	EAP: field-name is not parsed in accordance to RFC7230	There are no reported fixed by versions.
VCID-wg36-q48g-mkds Aliases: CVE-2019-14379 GHSA-6fpp-rgj9-8rwc	Deserialization of untrusted data in FasterXML jackson-databind SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2, 2.8.11.4, and 2.7.9.6 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.	There are no reported fixed by versions.
VCID-ygs8-4gxq-kygq Aliases: CVE-2019-12384 GHSA-mph4-vhrx-mv67	Deserialization of Untrusted Data in FasterXML jackson-databind FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-16af-yv1z-xufy
Aliases:
CVE-2019-17531
GHSA-gjmw-vf9h-g25v

jackson-databind polymorphic typing issue A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.