Vulnerabilities

3 via 20 paths

Dependencies

33

Source

GitHub

Find, fix and prevent vulnerabilities in your code.

Issue type
  • 3
  • 1
Severity
  • 1
  • 2
  • 1
Status
  • 4
  • 0
  • 0

high severity
new

Incorrect Authorization

  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: com.fasterxml.jackson.core:jackson-databind@2.22.0 and org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176

Detailed paths

  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin com.fasterxml.jackson.core:jackson-databind@2.22.0
    Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.22.1.
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 com.fasterxml.jackson.dataformat:jackson-dataformat-csv@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 com.fasterxml.jackson.dataformat:jackson-dataformat-toml@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 com.fasterxml.jackson.module:jackson-module-jaxb-annotations@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Incorrect Authorization in the deserialization process when handling properties annotated with both @JsonView and @JsonUnwrapped. An attacker can modify data that should be restricted to a higher-privileged view by supplying crafted JSON input.

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.18.9, 2.21.5, 2.22.1 or higher.

References

medium severity
new

Improperly Controlled Modification of Dynamically-Determined Object Attributes

  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: com.fasterxml.jackson.core:jackson-databind@2.22.0 and org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176

Detailed paths

  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin com.fasterxml.jackson.core:jackson-databind@2.22.0
    Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.22.1.
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 com.fasterxml.jackson.dataformat:jackson-dataformat-csv@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 com.fasterxml.jackson.dataformat:jackson-dataformat-toml@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.22.0-439.vb_b_43658d6176 com.fasterxml.jackson.module:jackson-module-jaxb-annotations@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the BeanDeserializerBase.createContextual() method, which applies the per-property exclusions through _handleByNameInclusion() and then rebuilds the property map from the unfiltered original, overwriting the filtered map and restoring every property the exclusion had removed. An attacker can set fields that were marked ignored, enabling mass assignment, by supplying those property names in untrusted JSON during deserialization. Exploitation requires case-insensitive property matching to be enabled via @JsonFormat with ACCEPT_CASE_INSENSITIVE_PROPERTIES alongside per-property @JsonIgnoreProperties.

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.18.9, 2.21.5, 2.22.1 or higher.

References

medium severity

LGPL-2.1 license

  • Module: com.github.spotbugs:spotbugs-annotations
  • Introduced through: com.github.spotbugs:spotbugs-annotations@4.10.3

Detailed paths

  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin com.github.spotbugs:spotbugs-annotations@4.10.3

LGPL-2.1 license

low severity

Information Exposure

  • Vulnerable module: org.jenkins-ci.plugins:structs
  • Introduced through: org.jenkins-ci.plugins.workflow:workflow-step-api@724.v538c2362b_dfb_ and org.jenkins-ci.plugins:credentials@999999-SNAPSHOT

Detailed paths

  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins.workflow:workflow-step-api@724.v538c2362b_dfb_ org.jenkins-ci.plugins:structs@337.v1b_04ea_4df7c8
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:credentials@999999-SNAPSHOT org.jenkins-ci.plugins:structs@337.v1b_04ea_4df7c8

Overview

Affected versions of this package are vulnerable to Information Exposure due to a failuire to configure a build step, it logs a warning message containing diagnostic information that may contain secrets passed as step parameters. Exploiting this vulnerability can result in accidental exposure of secrets through the default system log.

Remediation

Upgrade org.jenkins-ci.plugins:structs to version 338.v848422169819 or higher.

References