client-4.4.0.jar: 55 vulnerabilities (highest severity is: 9.8) unreachable

[mend-for-github-com]

Vulnerable Library - client-4.4.0.jar

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Vulnerabilities

Vulnerability	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (client version)	Remediation Possible**	Reachability
CVE-2020-9548	Critical	9.8	Not Defined	62.015%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-9547	Critical	9.8	Not Defined	38.262%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-9546	Critical	9.8	Not Defined	2.39%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-8840	Critical	9.8	Not Defined	8.109%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2019-20330	Critical	9.8	Not Defined	1.914%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2019-17267	Critical	9.8	Not Defined	1.228%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2019-16943	Critical	9.8	Not Defined	1.891%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2019-16942	Critical	9.8	Not Defined	0.426%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2019-14540	Critical	9.8	Not Defined	6.454%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-36184	High	8.8	Not Defined	7.471%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-36182	High	8.8	Not Defined	2.95%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-36181	High	8.8	Not Defined	5.862%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-36180	High	8.8	Not Defined	3.194%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-36179	High	8.8	Not Defined	61.883%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-11113	High	8.8	Not Defined	60.714%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-11112	High	8.8	Not Defined	6.772%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-11111	High	8.8	Not Defined	2.082%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-10969	High	8.8	Not Defined	1.035%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-10968	High	8.8	Not Defined	3.824%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-10673	High	8.8	Not Defined	20.898%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-10672	High	8.8	Not Defined	39.493%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2021-20190	High	8.1	Not Defined	0.502%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-36189	High	8.1	Not Defined	4.276%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-36188	High	8.1	Not Defined	10.179%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-36187	High	8.1	Not Defined	2.335%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-36186	High	8.1	Not Defined	2.623%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-36185	High	8.1	Not Defined	2.95%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-36183	High	8.1	Not Defined	2.241%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-35728	High	8.1	Not Defined	42.315%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-35491	High	8.1	Not Defined	6.186%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-35490	High	8.1	Not Defined	4.249%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-24750	High	8.1	Not Defined	2.052%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-24616	High	8.1	Not Defined	2.908%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-14195	High	8.1	Not Defined	9.286%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-14062	High	8.1	Not Defined	9.872%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-14061	High	8.1	Not Defined	6.308%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-14060	High	8.1	Not Defined	8.934%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-11620	High	8.1	Not Defined	2.182%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-11619	High	8.1	Not Defined	1.367%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-10650	High	8.1	Not Defined	9.009%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2019-10202	High	8.1	Not Defined	7.423%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
WS-2026-0003	High	7.5	Not Defined		jackson-core-2.9.8.jar	Transitive	N/A*	❌	Unreachable
WS-2022-0468	High	7.5	Not Defined		jackson-core-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2025-52999	High	7.5	Not Defined	0.252%	jackson-core-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2022-42004	High	7.5	Not Defined	0.25%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2022-42003	High	7.5	Not Defined	0.317%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-25649	High	7.5	Not Defined	0.075%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2019-14893	High	7.5	Not Defined	0.983%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2019-14892	High	7.5	Not Defined	0.897%	jackson-databind-2.9.8.jar	Transitive	N/A*	❌	Unreachable
WS-2019-0379	Medium	6.5	Not Defined		commons-codec-1.11.jar	Transitive	N/A*	❌	Unreachable
CVE-2025-48924	Medium	5.3	Not Defined	0.095%	commons-lang3-3.8.1.jar	Transitive	N/A*	❌	Unreachable
CVE-2020-13956	Medium	5.3	Not Defined	0.505%	httpclient-4.5.8.jar	Transitive	N/A*	❌	Unreachable
CVE-2021-29425	Medium	4.8	Not Defined	0.485%	commons-io-2.5.jar	Transitive	N/A*	❌	Unreachable
CVE-2024-47554	Medium	4.3	Not Defined	0.131%	commons-io-2.5.jar	Transitive	N/A*	❌	Unreachable
CVE-2025-49128	Medium	4.0	Not Defined	0.027%	jackson-core-2.9.8.jar	Transitive	N/A*	❌	Unreachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (17 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2020-9548

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• client-4.4.0.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

Publish Date: 2020-03-02

URL: CVE-2020-9548

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 62.015%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.7,2.8.11.6,2.9.10.4

CVE-2020-9547

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• client-4.4.0.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

Publish Date: 2020-03-02

URL: CVE-2020-9547

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 38.262%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GHSA-q93h-jc49-78gg

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.7,2.8.11.6,2.9.10.4

CVE-2020-9546

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• client-4.4.0.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

Publish Date: 2020-03-02

URL: CVE-2020-9546

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 2.39%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.3

CVE-2020-8840

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• client-4.4.0.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Publish Date: 2020-02-10

URL: CVE-2020-8840

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 8.109%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-02-10

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.3

CVE-2019-20330

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• client-4.4.0.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

Publish Date: 2020-01-03

URL: CVE-2019-20330

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.914%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-03

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.7,2.8.11.5,2.9.10.2

CVE-2019-17267

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• client-4.4.0.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: 2019-10-06

URL: CVE-2019-17267

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.228%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-10-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10

CVE-2019-16943

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• client-4.4.0.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16943

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.891%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GHSA-fmmc-742q-jg75

Release Date: 2019-10-01

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.8.11.5,2.9.10.1

CVE-2019-16942

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• client-4.4.0.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16942

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.426%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GHSA-mx7p-6679-8g3q

Release Date: 2019-10-01

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.8.11.5,2.9.10.1

CVE-2019-14540

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• client-4.4.0.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 6.454%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GHSA-h822-r4r5-v8jg

Release Date: 2019-09-15

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.8.11.5,2.9.10

CVE-2020-36184

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• client-4.4.0.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

Publish Date: 2021-01-06

URL: CVE-2020-36184

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 7.471%

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

CVE-2020-36182

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• client-4.4.0.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-06

URL: CVE-2020-36182

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 2.95%

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

CVE-2020-36181

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• client-4.4.0.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-06

URL: CVE-2020-36181

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 5.862%

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

CVE-2020-36180

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• client-4.4.0.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-06

URL: CVE-2020-36180

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 3.194%

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

CVE-2020-36179

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• client-4.4.0.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

Publish Date: 2021-01-06

URL: CVE-2020-36179

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 61.883%

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8

CVE-2020-11113

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• client-4.4.0.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

Publish Date: 2020-03-31

URL: CVE-2020-11113

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 60.714%

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113

Release Date: 2020-03-31

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.4;2.10.0

CVE-2020-11112

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• client-4.4.0.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).

Publish Date: 2020-03-31

URL: CVE-2020-11112

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 6.772%

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11112

Release Date: 2020-03-31

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.4,2.10.0

CVE-2020-11111

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nexmo-spring-boot-autoconfigure/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• client-4.4.0.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).

Publish Date: 2020-03-31

URL: CVE-2020-11111

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 2.082%

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113

Release Date: 2020-03-31

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.4,2.10.0