Search for packages
| purl | pkg:rpm/redhat/tfm-rubygem-runcible@2.13.0-1?arch=el7sat |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2g54-3acq-pbha
Aliases: CVE-2020-10716 |
rubygem-foreman_ansible: "User input" entry from Job Invocation may contain sensitive data | There are no reported fixed by versions. |
|
VCID-3qjf-azsa-fbek
Aliases: CVE-2020-14060 GHSA-j823-4qch-3rgm |
Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). | There are no reported fixed by versions. |
|
VCID-3wa1-khqf-x7fv
Aliases: CVE-2020-10968 GHSA-rf6r-2c4q-2vwg |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). | There are no reported fixed by versions. |
|
VCID-96pq-m4f3-zbad
Aliases: CVE-2019-20330 GHSA-gww7-p5w4-wrfv |
Deserialization of Untrusted Data in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5, and 2.9.x before 2.9.10.2 lacks certain `net.sf.ehcache` blocking. | There are no reported fixed by versions. |
|
VCID-9qdt-7p83-4yd8
Aliases: CVE-2020-10969 GHSA-758m-v56v-grj4 |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. | There are no reported fixed by versions. |
|
VCID-9wej-f7zx-pfeq
Aliases: CVE-2019-12086 GHSA-5ww9-j83m-q7qx |
Information exposure in FasterXML jackson-databind A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. | There are no reported fixed by versions. |
|
VCID-a5sk-5grx-eyaf
Aliases: CVE-2020-11619 GHSA-27xj-rqx5-2255 |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). | There are no reported fixed by versions. |
|
VCID-bhq3-j6aj-1yae
Aliases: CVE-2019-10086 GHSA-6phf-73q6-gh87 |
Insecure Deserialization in Apache Commons Beanutils In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean. | There are no reported fixed by versions. |
|
VCID-bydt-bkf4-rbh2
Aliases: CVE-2020-9546 GHSA-5p34-5m6p-p58g |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). | There are no reported fixed by versions. |
|
VCID-jvp6-892x-nkc7
Aliases: CVE-2020-9548 GHSA-p43x-xfjf-5jhr |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). | There are no reported fixed by versions. |
|
VCID-mv26-fzn6-vycf
Aliases: CVE-2017-17718 GHSA-m7p8-9w66-9frm |
No validation of hostname certificate Net-ldap does not validate the hostname certificate. Ruby is relying on OpenSSL, and one common mistake made by users of OpenSSL is to assume that OpenSSL will validate the hostname in the server's certificate. did not perform hostname validation. and up contain support for hostname validation, but they still require the user to call a few functions to set it up. | There are no reported fixed by versions. |
|
VCID-pnt3-1ssq-tqau
Aliases: CVE-2020-14061 GHSA-c2q3-4qrh-fm48 |
Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). | There are no reported fixed by versions. |
|
VCID-ruae-hqdg-m7ek
Aliases: CVE-2020-9547 GHSA-q93h-jc49-78gg |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`). | There are no reported fixed by versions. |
|
VCID-uygc-h93v-vuh8
Aliases: CVE-2020-14062 GHSA-c265-37vj-cwcc |
Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). | There are no reported fixed by versions. |
|
VCID-xnyb-nuwm-pkdr
Aliases: CVE-2020-8840 GHSA-4w82-r329-3q67 |
Deserialization of Untrusted Data in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. | There are no reported fixed by versions. |
|
VCID-z6er-42pm-7ubq
Aliases: CVE-2019-0231 GHSA-5h29-qq92-wj7f |
Cleartext Transmission of Sensitive Information in Apache MINA Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA. | There are no reported fixed by versions. |
|
VCID-ze79-6kcg-nfcp
Aliases: CVE-2020-14195 GHSA-mc6h-4qgp-37qh |
Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||