Vulnerabilities |
13 via 35 paths |
|---|---|
Dependencies |
117 |
Source |
GitHub |
Find, fix and prevent vulnerabilities in your code.
critical severity
new
- Vulnerable module: com.fasterxml.jackson.core:jackson-databind
- Introduced through: com.fasterxml.jackson.core:jackson-databind@2.21.1 and com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.fasterxml.jackson.core:jackson-databind@2.21.1Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.21.4.
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
Overview
com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the DatabindContext._resolveAndValidateGeneric() method, which validates only the raw container class of a type identifier against the configured PolymorphicTypeValidator and not its nested generic type arguments. An attacker who controls the type identifier can instantiate a denied class, and reach unauthenticated remote code execution through an available gadget, by embedding that class as a generic parameter of an allowlisted container such as java.util.ArrayList<com.evil.Gadget>, which passes validation while the nested type is loaded, instantiated, and populated with attacker-controlled values. Exploitation requires polymorphic type validation to be enabled with a configured validator, the application to deserialize untrusted JSON, and a suitable gadget class on the classpath.
Details
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.
Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.
Remediation
Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.18.8, 2.21.4 or higher.
References
critical severity
new
- Vulnerable module: com.fasterxml.jackson.core:jackson-databind
- Introduced through: com.fasterxml.jackson.core:jackson-databind@2.21.1 and com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.fasterxml.jackson.core:jackson-databind@2.21.1Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.21.4.
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
Overview
com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.
Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() method, which allowlists an array based only on clazz.isArray() and does not validate the array's component type. An attacker who controls the deserialized JSON can instantiate types outside the configured allowlist by wrapping them in an array, because array elements without per-element type identifiers are constructed directly with no further validator check.
Remediation
Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.18.8, 2.21.4 or higher.
References
high severity
- Vulnerable module: com.fasterxml.jackson.core:jackson-core
- Introduced through: com.fasterxml.jackson.core:jackson-core@2.21.1 and com.fasterxml.jackson.core:jackson-databind@2.21.1
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.fasterxml.jackson.core:jackson-core@2.21.1Remediation: Upgrade to com.fasterxml.jackson.core:jackson-core@2.21.2.
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.fasterxml.jackson.core:jackson-databind@2.21.1 › com.fasterxml.jackson.core:jackson-core@2.21.1Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.21.2.
Overview
com.fasterxml.jackson.core:jackson-core is a Core Jackson abstractions, basic JSON streaming API implementation
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the enforcement of document length constraints in blocking, async, and DataInput parser processes. An attacker can cause excessive resource consumption by submitting oversized JSON documents that bypass configured size limits.
Remediation
Upgrade com.fasterxml.jackson.core:jackson-core to version 2.18.7, 2.21.2 or higher.
References
high severity
- Vulnerable module: org.postgresql:postgresql
- Introduced through: org.postgresql:postgresql@42.7.10
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › org.postgresql:postgresql@42.7.10Remediation: Upgrade to org.postgresql:postgresql@42.7.11.
Overview
org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling during the client-side SCRAM-SHA-256 authentication. An attacker can cause excessive CPU consumption by specifying a very large PBKDF2 iteration count during authentication attempts from a malicious server. This can lead to exhaustion of client CPU resources and disruption of connection pools.
Workaround
The following measures can reduce exposure:
Only connect to trusted PostgreSQL servers whose identity is verified. Connect only to trusted PostgreSQL servers, and verify server identity with TLS using
sslmode=verify-fulland a trusted CA. TLS without certificate and hostname verification is not sufficient as an active network attacker can still impersonate the server.Do not rely on
loginTimeoutas a complete mitigation on unpatched versions. On affected versions,loginTimeoutcan stop the waiting caller while the worker thread continues spending CPU.Avoid SCRAM on untrusted or interceptable connection paths. For those paths, use an authentication method that does not let the server choose a SCRAM PBKDF2 iteration count.
Reduce blast radius operationally. Limit parallel connection attempts, add retry backoff, isolate connection establishment in a separate worker or process when possible, and apply CPU or container limits where appropriate.
On trusted servers you control, keep SCRAM iteration counts at ordinary values. This does not defend against an attacker-controlled server, but it avoids unnecessary client cost when talking to legitimate servers.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade org.postgresql:postgresql to version 42.7.11 or higher.
References
high severity
- Vulnerable module: org.lz4:lz4-java
- Introduced through: org.lz4:lz4-java@1.8.1
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › org.lz4:lz4-java@1.8.1
Overview
org.lz4:lz4-java is a Java port of the LZ4 compression algorithm and the xxHash hashing algorithm.
Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the decompression process when the output buffer is reused without being cleared. An attacker can access sensitive information from previous buffer contents by providing crafted compressed input.
Note:
- JNI implementations are not vulnerable.
LZ4Factory.safeInstance(),LZ4Factory.unsafeInstance(), andLZ4Factory.fastestJavaInstance()are all vulnerable.nativeInstance().fastDecompressor()is vulnerable butnativeInstance().safeDecompressor()is not.- This vulnerability is distinct from the one described in CVE-2025-12183, and was discovered during follow-up research.
Workaround
This vulnerability can be mitigated by zeroing the output buffer before passing it to the decompression function.
Remediation
There is no fixed version for org.lz4:lz4-java.
References
high severity
new
- Vulnerable module: ch.qos.logback:logback-core
- Introduced through: ch.qos.logback:logback-classic@1.5.32
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › ch.qos.logback:logback-classic@1.5.32 › ch.qos.logback:logback-core@1.5.32Remediation: Upgrade to ch.qos.logback:logback-classic@1.5.36.
Overview
ch.qos.logback:logback-core is a logback-core module.
Affected versions of this package are vulnerable to Expression Injection in the Janino-evaluated condition attribute of <if> configuration elements, handled by IfModelHandler, whose denylist blocked only the literal new operator. A user who can modify the logback configuration can execute arbitrary code by writing an <if> condition that evades that denylist, either through references it did not cover such as Runtime or springframework, or through Unicode escape sequences like \u that reconstruct the blocked new operator. Exploitation requires write access to the logback configuration and the use of conditional <if> processing with Janino present on the classpath.
Remediation
Upgrade ch.qos.logback:logback-core to version 1.5.36 or higher.
References
medium severity
new
- Vulnerable module: com.fasterxml.jackson.core:jackson-databind
- Introduced through: com.fasterxml.jackson.core:jackson-databind@2.21.1 and com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.fasterxml.jackson.core:jackson-databind@2.21.1Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.21.4.
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
Overview
com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.
Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the POJOPropertiesCollector._renameProperties() and BeanDeserializerFactory.addBeanProps() methods, which rename rather than drop a property whose getter carries @JsonProperty and whose setter carries @JsonIgnore, leaving the private backing field writable. An attacker can write a field that was meant to be unsettable, enabling property tampering and mass assignment, by supplying the renamed JSON key during deserialization, because the factory observes hasField()==true and builds a writable FieldProperty for the backing field. Exploitation requires MapperFeature.INFER_PROPERTY_MUTATORS to be enabled, which is the default, and a target type that pairs a renamed getter with an ignored setter, and the impact is limited to writing existing fields with no path to remote code execution.
Remediation
Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.21.4 or higher.
References
medium severity
new
- Vulnerable module: com.fasterxml.jackson.core:jackson-databind
- Introduced through: com.fasterxml.jackson.core:jackson-databind@2.21.1 and com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.fasterxml.jackson.core:jackson-databind@2.21.1
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
Overview
com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.
Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the BeanDeserializerBase.createContextual() method, which applies the per-property exclusions through _handleByNameInclusion() and then rebuilds the property map from the unfiltered original, overwriting the filtered map and restoring every property the exclusion had removed. An attacker can set fields that were marked ignored, enabling mass assignment, by supplying those property names in untrusted JSON during deserialization. Exploitation requires case-insensitive property matching to be enabled via @JsonFormat with ACCEPT_CASE_INSENSITIVE_PROPERTIES alongside per-property @JsonIgnoreProperties.
Remediation
A fix was pushed into the master branch but not yet published.
References
medium severity
new
- Vulnerable module: com.fasterxml.jackson.core:jackson-databind
- Introduced through: com.fasterxml.jackson.core:jackson-databind@2.21.1 and com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.fasterxml.jackson.core:jackson-databind@2.21.1Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.21.4.
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
Overview
com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the JDKFromStringDeserializer class, which constructs InetSocketAddress and resolves the hostname through DNS at deserialization time. An attacker can force the server to issue outbound DNS lookups for chosen hostnames by submitting JSON that is deserialized into a type holding an InetSocketAddress field, with no authentication required. The observable effect is limited to DNS resolution of attacker-chosen names, useful for out-of-band interaction or internal resolver probing rather than a full outbound request, and it applies only where the application deserializes untrusted JSON into types containing such fields.
Remediation
Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.18.8, 2.21.4 or higher.
References
medium severity
new
- Vulnerable module: ch.qos.logback:logback-classic
- Introduced through: ch.qos.logback:logback-classic@1.5.32
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › ch.qos.logback:logback-classic@1.5.32Remediation: Upgrade to ch.qos.logback:logback-classic@1.5.33.
Overview
ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data in HardenedObjectInputStream, whose resolveClass allowlist admitted any class whose name starts with java.lang or java.util rather than matching specific authorized classes. An attacker can instantiate dangerous classes such as java.lang.ProcessBuilder during deserialization, reaching remote code execution through a gadget chain, by delivering a malicious serialized object to a logback component that deserializes it, such as its socket receiver for serialized logging events (SocketNode). Exploitation requires the application to deserialize attacker-controlled serialized data through logback, in practice via its socket-based receiver, together with a usable gadget class on the classpath.
Workaround
This vulnerability can be avoided by not exposing logback's socket-based serialized receivers, such as SocketReceiver and ServerSocketReceiver, to untrusted networks, which removes the path by which attacker-controlled serialized objects reach the deserialization filter.
Details
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.
Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.
Remediation
Upgrade ch.qos.logback:logback-classic to version 1.5.33 or higher.
References
medium severity
new
- Vulnerable module: ch.qos.logback:logback-core
- Introduced through: ch.qos.logback:logback-classic@1.5.32
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › ch.qos.logback:logback-classic@1.5.32 › ch.qos.logback:logback-core@1.5.32Remediation: Upgrade to ch.qos.logback:logback-classic@1.5.33.
Overview
ch.qos.logback:logback-core is a logback-core module.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data in HardenedObjectInputStream, whose resolveClass allowlist admitted any class whose name starts with java.lang or java.util rather than matching specific authorized classes. An attacker can instantiate dangerous classes such as java.lang.ProcessBuilder during deserialization, reaching remote code execution through a gadget chain, by delivering a malicious serialized object to a logback component that deserializes it, such as its socket receiver for serialized logging events (SocketNode). Exploitation requires the application to deserialize attacker-controlled serialized data through logback, in practice via its socket-based receiver, together with a usable gadget class on the classpath.
Workaround
This vulnerability can be avoided by not exposing logback's socket-based serialized receivers, such as SocketReceiver and ServerSocketReceiver, to untrusted networks, which removes the path by which attacker-controlled serialized objects reach the deserialization filter.
Details
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.
Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.
Remediation
Upgrade ch.qos.logback:logback-core to version 1.5.33 or higher.
References
medium severity
new
- Vulnerable module: com.fasterxml.jackson.core:jackson-databind
- Introduced through: com.fasterxml.jackson.core:jackson-databind@2.21.1 and com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.fasterxml.jackson.core:jackson-databind@2.21.1Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.21.4.
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
Overview
com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.
Affected versions of this package are vulnerable to Incorrect Authorization in the BeanDeserializer._deserializeUsingPropertyBased method, whose property-buffering branch omits the prop.visibleInView(activeView) check that the creator-property branch performs. An attacker can populate view-restricted setterless collection or map properties, such as admin-only fields, from untrusted JSON by supplying values for them during deserialization, bypassing @JsonView protection. This affects only setterless collection or map properties annotated with a restricted @JsonView and reached through the property-based creator path.
Remediation
Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.21.4 or higher.
References
medium severity
new
- Vulnerable module: com.fasterxml.jackson.core:jackson-databind
- Introduced through: com.fasterxml.jackson.core:jackson-databind@2.21.1 and com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0
Detailed paths
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.fasterxml.jackson.core:jackson-databind@2.21.1Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.21.4.
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
-
Introduced through: laserdisc-io/tamer@laserdisc-io/tamer › com.oracle.oci.sdk:oci-java-sdk-objectstorage@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated@3.81.0 › com.oracle.oci.sdk:oci-java-sdk-common@3.81.0 › com.fasterxml.jackson.core:jackson-databind@2.21.1
Overview
com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.
Affected versions of this package are vulnerable to Incorrect Authorization in the UnwrappedPropertyHandler.processUnwrappedCreatorProperties() method, which replays buffered JSON into creator parameters without consulting prop.visibleInView(activeView). An attacker can set view-restricted constructor parameters annotated with both @JsonView and @JsonUnwrapped, such as admin-only fields, from untrusted JSON by supplying them during deserialization while a more restrictive view is active, defeating the @JsonView write-side authorization boundary.
Remediation
Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.21.4 or higher.