Vulnerabilities

 6 via 47 paths

Dependencies

 33

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 6
  • 1
Severity
  • 2
  • 4
  • 1
Status
  • 7
  • 0
  • 0

critical severity
new

Deserialization of Untrusted Data

  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: com.fasterxml.jackson.core:jackson-databind@2.21.2 and org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff

Detailed paths

  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin com.fasterxml.jackson.core:jackson-databind@2.21.2
    Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.21.4.
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-csv@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-toml@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.module:jackson-module-jaxb-annotations@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the DatabindContext._resolveAndValidateGeneric() method, which validates only the raw container class of a type identifier against the configured PolymorphicTypeValidator and not its nested generic type arguments. An attacker who controls the type identifier can instantiate a denied class, and reach unauthenticated remote code execution through an available gadget, by embedding that class as a generic parameter of an allowlisted container such as java.util.ArrayList<com.evil.Gadget>, which passes validation while the nested type is loaded, instantiated, and populated with attacker-controlled values. Exploitation requires polymorphic type validation to be enabled with a configured validator, the application to deserialize untrusted JSON, and a suitable gadget class on the classpath.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.18.8, 2.21.4 or higher.

References

Deserialization of Untrusted Data vulnerability report

critical severity
new

Incomplete List of Disallowed Inputs

  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: com.fasterxml.jackson.core:jackson-databind@2.21.2 and org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff

Detailed paths

  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin com.fasterxml.jackson.core:jackson-databind@2.21.2
    Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.21.4.
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-csv@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-toml@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.module:jackson-module-jaxb-annotations@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() method, which allowlists an array based only on clazz.isArray() and does not validate the array's component type. An attacker who controls the deserialized JSON can instantiate types outside the configured allowlist by wrapping them in an array, because array elements without per-element type identifiers are constructed directly with no further validator check.

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.18.8, 2.21.4 or higher.

References

Incomplete List of Disallowed Inputs vulnerability report

medium severity
new

Server-side Request Forgery (SSRF)

  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: com.fasterxml.jackson.core:jackson-databind@2.21.2 and org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff

Detailed paths

  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin com.fasterxml.jackson.core:jackson-databind@2.21.2
    Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.21.4.
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-csv@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-toml@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.module:jackson-module-jaxb-annotations@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the JDKFromStringDeserializer class, which constructs InetSocketAddress and resolves the hostname through DNS at deserialization time. An attacker can force the server to issue outbound DNS lookups for chosen hostnames by submitting JSON that is deserialized into a type holding an InetSocketAddress field, with no authentication required. The observable effect is limited to DNS resolution of attacker-chosen names, useful for out-of-band interaction or internal resolver probing rather than a full outbound request, and it applies only where the application deserializes untrusted JSON into types containing such fields.

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.18.8, 2.21.4 or higher.

References

Server-side Request Forgery (SSRF) vulnerability report

medium severity
new

Incorrect Authorization

  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: com.fasterxml.jackson.core:jackson-databind@2.21.2 and org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff

Detailed paths

  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin com.fasterxml.jackson.core:jackson-databind@2.21.2
    Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.21.4.
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-csv@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-toml@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.module:jackson-module-jaxb-annotations@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Incorrect Authorization in the BeanDeserializer._deserializeUsingPropertyBased method, whose property-buffering branch omits the prop.visibleInView(activeView) check that the creator-property branch performs. An attacker can populate view-restricted setterless collection or map properties, such as admin-only fields, from untrusted JSON by supplying values for them during deserialization, bypassing @JsonView protection. This affects only setterless collection or map properties annotated with a restricted @JsonView and reached through the property-based creator path.

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.21.4 or higher.

References

Incorrect Authorization vulnerability report

medium severity
new

Incorrect Authorization

  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: com.fasterxml.jackson.core:jackson-databind@2.21.2 and org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff

Detailed paths

  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin com.fasterxml.jackson.core:jackson-databind@2.21.2
    Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.21.4.
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-cbor@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-csv@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-toml@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-xml@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:jackson2-api@2.21.2-436.v29efdb_7418ff com.fasterxml.jackson.module:jackson-module-jaxb-annotations@2.21.2 com.fasterxml.jackson.core:jackson-databind@2.21.2

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Incorrect Authorization in the UnwrappedPropertyHandler.processUnwrappedCreatorProperties() method, which replays buffered JSON into creator parameters without consulting prop.visibleInView(activeView). An attacker can set view-restricted constructor parameters annotated with both @JsonView and @JsonUnwrapped, such as admin-only fields, from untrusted JSON by supplying them during deserialization while a more restrictive view is active, defeating the @JsonView write-side authorization boundary.

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.21.4 or higher.

References

Incorrect Authorization vulnerability report

medium severity

LGPL-2.1 license

  • Module: com.github.spotbugs:spotbugs-annotations
  • Introduced through: com.github.spotbugs:spotbugs-annotations@4.10.2

Detailed paths

  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin com.github.spotbugs:spotbugs-annotations@4.10.2

LGPL-2.1 license

LGPL-2.1 license vulnerability report

low severity

Information Exposure

  • Vulnerable module: org.jenkins-ci.plugins:structs
  • Introduced through: org.jenkins-ci.plugins.workflow:workflow-step-api@724.v538c2362b_dfb_ and org.jenkins-ci.plugins:credentials@999999-SNAPSHOT

Detailed paths

  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins.workflow:workflow-step-api@724.v538c2362b_dfb_ org.jenkins-ci.plugins:structs@337.v1b_04ea_4df7c8
  • Introduced through: jenkinsci/snyk-security-scanner-plugin@jenkinsci/snyk-security-scanner-plugin org.jenkins-ci.plugins:credentials@999999-SNAPSHOT org.jenkins-ci.plugins:structs@337.v1b_04ea_4df7c8

Overview

Affected versions of this package are vulnerable to Information Exposure due to a failuire to configure a build step, it logs a warning message containing diagnostic information that may contain secrets passed as step parameters. Exploiting this vulnerability can result in accidental exposure of secrets through the default system log.

Remediation

Upgrade org.jenkins-ci.plugins:structs to version 338.v848422169819 or higher.

References

Information Exposure vulnerability report