Vulnerabilities |
3 via 20 paths |
|---|---|
Dependencies |
33 |
Source |
GitHub |
Find, fix and prevent vulnerabilities in your code.
high severity
new
- Vulnerable module: com.fasterxml.jackson.core:jackson-databind
- Introduced through: com.fasterxml.jackson.core:jackson-databind@2.22.0 and org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176
Detailed paths
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › com.fasterxml.jackson.core:jackson-databind@2.22.0Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.22.1.
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 › com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 › com.fasterxml.jackson.dataformat:jackson-dataformat-csv@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 › com.fasterxml.jackson.dataformat:jackson-dataformat-toml@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 › com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 › com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 › com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 › com.fasterxml.jackson.module:jackson-module-jaxb-annotations@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
Overview
com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.
Affected versions of this package are vulnerable to Incorrect Authorization in the deserialization process when handling properties annotated with both @JsonView and @JsonUnwrapped. An attacker can modify data that should be restricted to a higher-privileged view by supplying crafted JSON input.
Remediation
Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.18.9, 2.21.5, 2.22.1 or higher.
References
medium severity
new
- Vulnerable module: com.fasterxml.jackson.core:jackson-databind
- Introduced through: com.fasterxml.jackson.core:jackson-databind@2.22.0 and org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176
Detailed paths
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › com.fasterxml.jackson.core:jackson-databind@2.22.0Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.22.1.
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 › com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 › com.fasterxml.jackson.dataformat:jackson-dataformat-csv@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 › com.fasterxml.jackson.dataformat:jackson-dataformat-toml@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 › com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 › com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 › com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 › com.fasterxml.jackson.module:jackson-module-jaxb-annotations@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
Overview
com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.
Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the BeanDeserializerBase.createContextual() method, which applies the per-property exclusions through _handleByNameInclusion() and then rebuilds the property map from the unfiltered original, overwriting the filtered map and restoring every property the exclusion had removed. An attacker can set fields that were marked ignored, enabling mass assignment, by supplying those property names in untrusted JSON during deserialization. Exploitation requires case-insensitive property matching to be enabled via @JsonFormat with ACCEPT_CASE_INSENSITIVE_PROPERTIES alongside per-property @JsonIgnoreProperties.
Remediation
Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.18.9, 2.21.5, 2.22.1 or higher.
References
medium severity
- Module: com.github.spotbugs:spotbugs-annotations
- Introduced through: com.github.spotbugs:spotbugs-annotations@4.10.3
Detailed paths
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › com.github.spotbugs:spotbugs-annotations@4.10.3
LGPL-2.1 license
low severity
- Vulnerable module: org.jenkins-ci.plugins:structs
- Introduced through: org.jenkins-ci.plugins.workflow:workflow-step-api@724.v538c2362b_dfb_ and org.jenkins-ci.plugins:credentials@999999-SNAPSHOT
Detailed paths
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins.workflow:workflow-step-api@724.v538c2362b_dfb_ › org.jenkins-ci.plugins:structs@337.v1b_04ea_4df7c8
-
Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin › org.jenkins-ci.plugins:credentials@999999-SNAPSHOT › org.jenkins-ci.plugins:structs@337.v1b_04ea_4df7c8
Overview
Affected versions of this package are vulnerable to Information Exposure due to a failuire to configure a build step, it logs a warning message containing diagnostic information that may contain secrets passed as step parameters. Exploiting this vulnerability can result in accidental exposure of secrets through the default system log.
Remediation
Upgrade org.jenkins-ci.plugins:structs to version 338.v848422169819 or higher.