Vulnerabilities |
5 via 26 paths |
|---|---|
Dependencies |
116 |
Source |
GitHub |
Find, fix and prevent vulnerabilities in your code.
high severity
new
- Vulnerable module: com.fasterxml.jackson.core:jackson-databind
- Introduced through: com.fasterxml.jackson.core:jackson-databind@2.22.0 and org.ligoj.bootstrap:bootstrap-business@3.3.6
Detailed paths
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › com.fasterxml.jackson.core:jackson-databind@2.22.0Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.22.1.
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider@2.22.0 › com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-base@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider@2.22.0 › com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 › io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 › io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 › com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider@2.22.0 › com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-base@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 › io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 › com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider@2.22.0 › com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 › io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 › io.swagger.core.v3:swagger-integration-jakarta@2.2.51 › io.swagger.core.v3:swagger-core-jakarta@2.2.51 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 › io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 › io.swagger.core.v3:swagger-integration-jakarta@2.2.51 › io.swagger.core.v3:swagger-core-jakarta@2.2.51 › com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
Overview
com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.
Affected versions of this package are vulnerable to Incorrect Authorization in the deserialization process when handling properties annotated with both @JsonView and @JsonUnwrapped. An attacker can modify data that should be restricted to a higher-privileged view by supplying crafted JSON input.
Remediation
Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.18.9, 2.21.5, 2.22.1 or higher.
References
high severity
new
- Vulnerable module: org.apache.httpcomponents.core5:httpcore5-h2
- Introduced through: org.apache.httpcomponents.client5:httpclient5@5.6.1 and org.ligoj.bootstrap:bootstrap-business@3.3.6
Detailed paths
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.apache.httpcomponents.client5:httpclient5@5.6.1 › org.apache.httpcomponents.core5:httpcore5-h2@5.4Remediation: Upgrade to org.apache.httpcomponents.client5:httpclient5@5.6.2.
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.apache.httpcomponents.client5:httpclient5@5.6.1 › org.apache.httpcomponents.core5:httpcore5-h2@5.4
Overview
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of enforced limits in the HPackDecoder process. An attacker can exhaust system memory by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement applies the configured header list size limit.
Remediation
Upgrade org.apache.httpcomponents.core5:httpcore5-h2 to version 5.4.3, 5.5-beta2 or higher.
References
high severity
new
- Vulnerable module: org.apache.httpcomponents.core5:httpcore5-h2
- Introduced through: org.apache.httpcomponents.client5:httpclient5@5.6.1 and org.ligoj.bootstrap:bootstrap-business@3.3.6
Detailed paths
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.apache.httpcomponents.client5:httpclient5@5.6.1 › org.apache.httpcomponents.core5:httpcore5-h2@5.4Remediation: Upgrade to org.apache.httpcomponents.client5:httpclient5@5.6.2.
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.apache.httpcomponents.client5:httpclient5@5.6.1 › org.apache.httpcomponents.core5:httpcore5-h2@5.4
Overview
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the HTTP/1.1 message parsing process. An attacker can exhaust system memory by sending messages with an excessive number of headers or excessively long headers.
Remediation
Upgrade org.apache.httpcomponents.core5:httpcore5-h2 to version 5.4.2, 5.5-beta1 or higher.
References
medium severity
new
- Vulnerable module: com.fasterxml.jackson.core:jackson-databind
- Introduced through: com.fasterxml.jackson.core:jackson-databind@2.22.0 and org.ligoj.bootstrap:bootstrap-business@3.3.6
Detailed paths
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › com.fasterxml.jackson.core:jackson-databind@2.22.0Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.22.1.
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider@2.22.0 › com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-base@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider@2.22.0 › com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 › io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 › io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 › com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider@2.22.0 › com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-base@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 › io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 › com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider@2.22.0 › com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 › io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 › io.swagger.core.v3:swagger-integration-jakarta@2.2.51 › io.swagger.core.v3:swagger-core-jakarta@2.2.51 › com.fasterxml.jackson.core:jackson-databind@2.22.0
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 › io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 › io.swagger.core.v3:swagger-integration-jakarta@2.2.51 › io.swagger.core.v3:swagger-core-jakarta@2.2.51 › com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.22.0 › com.fasterxml.jackson.core:jackson-databind@2.22.0
Overview
com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.
Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the BeanDeserializerBase.createContextual() method, which applies the per-property exclusions through _handleByNameInclusion() and then rebuilds the property map from the unfiltered original, overwriting the filtered map and restoring every property the exclusion had removed. An attacker can set fields that were marked ignored, enabling mass assignment, by supplying those property names in untrusted JSON during deserialization. Exploitation requires case-insensitive property matching to be enabled via @JsonFormat with ACCEPT_CASE_INSENSITIVE_PROPERTIES alongside per-property @JsonIgnoreProperties.
Remediation
Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.18.9, 2.21.5, 2.22.1 or higher.
References
medium severity
new
- Vulnerable module: org.apache.logging.log4j:log4j-api
- Introduced through: org.ligoj.bootstrap:bootstrap-business@3.3.6
Detailed paths
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › org.apache.logging.log4j:log4j-api@2.26.0
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › org.apache.logging.log4j:log4j-core@2.26.0 › org.apache.logging.log4j:log4j-api@2.26.0
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › org.apache.logging.log4j:log4j-slf4j2-impl@2.26.0 › org.apache.logging.log4j:log4j-api@2.26.0
-
Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded › org.ligoj.bootstrap:bootstrap-business@3.3.6 › org.ligoj.bootstrap:bootstrap-core@3.3.6 › org.apache.logging.log4j:log4j-slf4j2-impl@2.26.0 › org.apache.logging.log4j:log4j-core@2.26.0 › org.apache.logging.log4j:log4j-api@2.26.0
Overview
Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the MapMessage.asJson() method, which emits the bare NaN, Infinity, or -Infinity tokens instead of an RFC 8259-compliant representation. An attacker can emit malformed JSON that corrupts the enclosing log record or disrupts downstream log ingestion and parsing by supplying non-finite floating-point values that the application records in a logged MapMessage. Exploitation requires the application to use the message resolver of JsonTemplateLayout, or another layout relying on MapMessage.asJson(), and to log a MapMessage holding attacker-controlled floating-point values.
Note: This is a bypass of the fix for the vulnerability described in CVE-2026-34481.
Remediation
A fix was pushed into the master branch but not yet published.