-
-
Notifications
You must be signed in to change notification settings - Fork 57
/
valid-vulnerability-1.4.textproto
119 lines (119 loc) · 3.42 KB
/
valid-vulnerability-1.4.textproto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
spec_version: "1.4"
version: 1
serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
components {
type: CLASSIFICATION_LIBRARY
bom_ref: "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4"
group: "com.fasterxml.jackson.core"
name: "jackson-databind"
version: "2.9.4"
purl: "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4"
}
vulnerabilities {
bom_ref: "6eee14da-8f42-4cc4-bb65-203235f02415"
id: "SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111"
source: {
name: "Snyk"
url: "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111"
}
references: {
id: "CVE-2018-7489"
source: {
name: "NVD",
url: "https://nvd.nist.gov/vuln/detail/CVE-2019-9997"
}
}
ratings: {
source: {
name: "NVD"
url: "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.0"
}
score: 9.8
severity: SEVERITY_CRITICAL
method: SCORE_METHOD_CVSSV3
vector: "AN/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
justification: "An optional reason for rating the vulnerability as it was"
}
cwes: 184
cwes: 502
description: "FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath."
detail: ""
recommendation: "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5, 2.8.11.1, 2.9.5 or higher."
advisories: {
title: "GitHub Commit"
url: "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2"
}
advisories: {
title: "GitHub Issue"
url: "https://github.com/FasterXML/jackson-databind/issues/1931"
}
created: {
seconds: 3173618478
nanos: 3
}
published: {
seconds: 3173618478
nanos: 3
}
updated: {
seconds: 3173618478
nanos: 3
}
credits: {
organizations: {
name: "Acme, Inc."
url: "https://example.com"
}
individuals: {
name: "Jane Doe"
email: "jane.doe@example.com"
}
}
tools: {
vendor: "Snyk"
name: "Snyk CLI (Linux)"
version: "1.729.0"
hashes: {
alg: HASH_ALG_SHA_256
value: "2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d"
}
}
analysis: {
state: IMPACT_ANALYSIS_STATE_NOT_AFFECTED
justification: IMPACT_ANALYSIS_JUSTIFICATION_CODE_NOT_REACHABLE
response: VULNERABILITY_RESPONSE_WILL_NOT_FIX
response: VULNERABILITY_RESPONSE_UPDATE
detail: "An optional explanation of why the application is not affected by the vulnerable component."
}
affects: {
ref: "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4"
versions: {
range: "vers:semver/<2.6.7.5"
status: VULNERABILITY_AFFECTED_STATUS_AFFECTED
}
versions: {
range: "vers:semver/2.7.0|<2.8.11.1"
status: VULNERABILITY_AFFECTED_STATUS_AFFECTED
}
versions: {
range: "vers:semver/2.9.0|<2.9.5"
status: VULNERABILITY_AFFECTED_STATUS_AFFECTED
}
}
properties {
name: "Foo"
value: "Bar"
}
properties {
name: "Foo"
value: "You"
}
properties {
name: "Foo"
value: "Two"
}
properties {
name: "Bar"
value: "Foo"
}
}