Search for packages
| purl | pkg:rpm/redhat/eap7-jackson-databind@2.9.10.4-1.redhat_00001.1?arch=el6eap |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1bfp-5ub3-dqbr
Aliases: CVE-2020-14307 |
wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing Denial of Service | There are no reported fixed by versions. |
|
VCID-5qfd-jjh1-d3fx
Aliases: CVE-2020-10673 GHSA-fqwf-pjwf-7vqv |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 and 2.6.7.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). | There are no reported fixed by versions. |
|
VCID-73st-24ck-uydb
Aliases: CVE-2020-10687 GHSA-p9w3-gwc2-cr49 |
HTTP Request Smuggling in Undertow A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. | There are no reported fixed by versions. |
|
VCID-99vp-bk8n-q3cp
Aliases: CVE-2020-10714 GHSA-7fhr-2694-rg79 |
Session Fixation A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | There are no reported fixed by versions. |
|
VCID-aedf-8vvz-37cp
Aliases: CVE-2020-1695 GHSA-63cq-ppq8-cw6g |
Improper Input Validation in RESTEasy A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed. | There are no reported fixed by versions. |
|
VCID-afkn-k8yk-w3dr
Aliases: CVE-2020-10693 GHSA-rmrm-75hp-phr2 |
Improper Input Validation in Hibernate Validator A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages. | There are no reported fixed by versions. |
|
VCID-b6jd-akz5-zbds
Aliases: CVE-2020-10683 GHSA-hwj3-m3p6-hj38 |
dom4j allows External Entities by default which might enable XXE attacks dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended. | There are no reported fixed by versions. |
|
VCID-bydt-bkf4-rbh2
Aliases: CVE-2020-9546 GHSA-5p34-5m6p-p58g |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). | There are no reported fixed by versions. |
|
VCID-bznx-gnst-3qgd
Aliases: CVE-2020-1748 GHSA-qgrq-cx4c-2rmm |
Incorrect Authorization in WildFly Elytron A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources. | There are no reported fixed by versions. |
|
VCID-jvp6-892x-nkc7
Aliases: CVE-2020-9548 GHSA-p43x-xfjf-5jhr |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). | There are no reported fixed by versions. |
|
VCID-mapy-1mup-wfgx
Aliases: CVE-2020-10740 GHSA-vrmw-2xhq-hrmp |
Wildfly Unsafe Deserialization Vulnerability A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly. | There are no reported fixed by versions. |
|
VCID-nrk8-v4zp-6ubx
Aliases: CVE-2020-1710 |
EAP: field-name is not parsed in accordance to RFC7230 | There are no reported fixed by versions. |
|
VCID-qxnf-qs7c-4fby
Aliases: CVE-2019-14900 GHSA-8grg-q944-cch5 |
SQL Injection in Hibernate ORM A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. | There are no reported fixed by versions. |
|
VCID-ruae-hqdg-m7ek
Aliases: CVE-2020-9547 GHSA-q93h-jc49-78gg |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`). | There are no reported fixed by versions. |
|
VCID-tbhh-2tte-kkdk
Aliases: CVE-2020-6950 GHSA-rpq8-mmwh-q9hm |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter. | There are no reported fixed by versions. |
|
VCID-u65n-566a-d7dp
Aliases: CVE-2020-10718 |
wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API | There are no reported fixed by versions. |
|
VCID-wdgx-34uc-2qa4
Aliases: CVE-2020-10672 GHSA-95cm-88f5-f2c7 |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). | There are no reported fixed by versions. |
|
VCID-xnyb-nuwm-pkdr
Aliases: CVE-2020-8840 GHSA-4w82-r329-3q67 |
Deserialization of Untrusted Data in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. | There are no reported fixed by versions. |
|
VCID-zea8-w4br-6qas
Aliases: CVE-2020-14297 GHSA-qcch-9268-59jw |
Wildfly EJB Client causes DoS A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventually unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||