Search for packages
| purl | pkg:rpm/redhat/eap7-jackson-modules-java8@2.10.4-2.redhat_00004.1?arch=el7eap |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-8977-tjss-w7ba
Aliases: CVE-2021-45046 GHSA-7rjr-3q55-vv33 |
Incomplete fix for Apache Log4j vulnerability The fix to address [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack. | There are no reported fixed by versions. |
|
VCID-9bk7-2rsc-nbd6
Aliases: CVE-2020-13936 GHSA-59j4-wjwp-mw9m |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2. | There are no reported fixed by versions. |
|
VCID-9h46-72hw-bkcr
Aliases: CVE-2022-42003 GHSA-jjjh-jjxp-wpff |
Multiple vulnerabilities have been found in FasterXML jackson-databind, the worst of which could result in denial of service. | There are no reported fixed by versions. |
|
VCID-dmkc-42vj-gbhc
Aliases: CVE-2022-1471 GHSA-mjmj-j48q-9wg2 |
SnakeYaml Constructor Deserialization Remote Code Execution ### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line: new Yaml(new Constructor(TestDataClass.class)).load(yamlContent); Types do not have to match the types of properties in the target class. A `ConstructorException` is thrown, but only after a malicious payload is deserialized. ### Severity High, lack of type checks during deserialization allows remote code execution. ### Proof of Concept Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000. Example output of successful run of proof of concept: ``` $ bash run.sh [+] Downloading snakeyaml if needed [+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE nc: no process found [+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server. [+] An exception is expected. Exception: Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0 in 'string', line 1, column 1: payload: !!javax.script.ScriptEn ... ^ Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager in 'string', line 1, column 10: payload: !!javax.script.ScriptEngineManag ... ^ at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172) at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220) at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174) at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158) at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491) at org.yaml.snakeyaml.Yaml.load(Yaml.java:416) at Main.main(Main.java:37) Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81) at java.base/java.lang.reflect.Field.set(Field.java:780) at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286) ... 9 more [+] Dumping Received HTTP Request. Will not be empty if PoC worked GET /proof-of-concept HTTP/1.1 User-Agent: Java/11.0.14 Host: localhost:8000 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ``` ### Further Analysis Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject. ### Timeline **Date reported**: 4/11/2022 **Date fixed**: [30/12/2022](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/44) **Date disclosed**: 10/13/2022 | There are no reported fixed by versions. |
|
VCID-j986-mtma-b3bw
Aliases: CVE-2022-42889 GHSA-599f-7c49-w659 |
Arbitrary code execution in Apache Commons Text Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. | There are no reported fixed by versions. |
|
VCID-jstt-6zs3-ybew
Aliases: CVE-2021-42392 GHSA-h376-j262-vhq6 GMS-2022-7 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in com.h2database:h2. | There are no reported fixed by versions. |
|
VCID-jwav-88m7-6fhz
Aliases: CVE-2021-44228 GHSA-jfh8-c2jp-5v3q |
Remote code injection in Log4j Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. As per [Apache's Log4j security guide](https://logging.apache.org/log4j/2.x/security.html): Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.16.0, this behavior has been disabled by default. Log4j version 2.15.0 contained an earlier fix for the vulnerability, but that patch did not disable attacker-controlled JNDI lookups in all situations. For more information, see the `Updated advice for version 2.16.0` section of this advisory. | There are no reported fixed by versions. |
|
VCID-netd-rr9e-wbg5
Aliases: CVE-2022-45047 GHSA-fhw8-8j55-vwgq |
Unsafe deserialization in Apache MINA SSHD Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server. Until version 2.1.0, the code affected by this vulnerability appeared in `org.apache.sshd:sshd-core`. Version 2.1.0 contains a [commit](https://github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0) where the code was moved to the package `org.apache.sshd:sshd-common`, which did not exist until version 2.1.0. | There are no reported fixed by versions. |
|
VCID-qruf-r6dc-3ugj
Aliases: CVE-2022-41881 GHSA-fx2c-96vj-985v |
HAProxyMessageDecoder Stack Exhaustion DoS ### Impact A StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. ### Patches Users should upgrade to 4.1.86.Final. ### Workarounds There is no workaround, except using a custom HaProxyMessageDecoder. ### References When parsing a TLV with type = PP2_TYPE_SSL, the value can be again a TLV with type = PP2_TYPE_SSL and so on. The only limitation of the recursion is that the TLV length cannot be bigger than 0xffff because it is encoded in an unsigned short type. Providing a TLV with a nesting level that is large enough will lead to raising of a StackOverflowError. The StackOverflowError will be caught if HAProxyMessageDecoder is used as part of Netty’s ChannelPipeline, but using it directly without the ChannelPipeline will lead to a thrown exception / crash. ### For more information If you have any questions or comments about this advisory: * Open an issue in [netty](https://github.com/netty/netty) | There are no reported fixed by versions. |
|
VCID-turp-dju7-c7fx
Aliases: CVE-2021-44906 GHSA-xvch-5gv4-984h |
Prototype Pollution in minimist Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). | There are no reported fixed by versions. |
|
VCID-v2pq-1qhm-4qb9
Aliases: CVE-2022-42004 GHSA-rgv9-q543-rqg4 |
Multiple vulnerabilities have been found in FasterXML jackson-databind, the worst of which could result in denial of service. | There are no reported fixed by versions. |
|
VCID-wp9q-eurd-43dx
Aliases: CVE-2022-45693 GHSA-grr4-wv38-f68w |
Jettison Out-of-bounds Write vulnerability Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string. | There are no reported fixed by versions. |
|
VCID-xzs8-rbhd-mkbp
Aliases: CVE-2022-46363 GHSA-3w37-5p3p-jv92 |
Apache CXF vulnerable to Exposure of Sensitive Information A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||