VulnerableCode Package Details - pkg:rpm/redhat/eap7-resteasy@3.6.1-4.SP3_redhat

Search for packages

Vulnerability	Summary	Fixed by
VCID-5r6v-ej7d-ubgv Aliases: CVE-2018-12022 GHSA-cjjf-94ff-43w7	An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.	There are no reported fixed by versions.
VCID-6zee-aqcc-vfbp Aliases: CVE-2018-11307 GHSA-qr7j-h6gg-jmgc	An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.	There are no reported fixed by versions.
VCID-8wsj-hxc5-53fa Aliases: CVE-2019-3805	wildfly: Race condition on PID file allows for termination of arbitrary processes by local users	There are no reported fixed by versions.
VCID-fafy-ugq3-cfbn Aliases: CVE-2018-14721 GHSA-9mxf-g3x6-wv74	Server-Side Request Forgery (SSRF) FasterXML jackson-databind might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the `axis2-jaxws` class from polymorphic deserialization.	There are no reported fixed by versions.
VCID-j1b1-9cpm-ffgd Aliases: CVE-2019-3894	wildfly: wrong SecurityIdentity for EE concurrency threads that are reused	There are no reported fixed by versions.
VCID-rqvc-k1jm-9kg9 Aliases: CVE-2018-14642 GHSA-vf6r-mmhc-3xcm	Information Exposure An information leak vulnerability was found in Undertow. If all headers are not written out in the first `write()` call, the code that handles flushing the buffer will always write out the full contents of the `writevBuffer` buffer, which may contain data from previous requests.	There are no reported fixed by versions.
VCID-sw29-epz3-g7ep Aliases: CVE-2018-14720 GHSA-x2w5-5m2g-7h5m	Improper Restriction of XML External Entity Reference FasterXML jackson-databind might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.	There are no reported fixed by versions.
VCID-zdwv-ycey-myfc Aliases: CVE-2018-12023 GHSA-6wqp-v4v6-c87c	An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-5r6v-ej7d-ubgv
Aliases:
CVE-2018-12022
GHSA-cjjf-94ff-43w7

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.