Vulnerabilities

5 via 26 paths

Dependencies

116

Source

GitHub

Find, fix and prevent vulnerabilities in your code.

Severity
  • 3
  • 2
Status
  • 5
  • 0
  • 0

high severity
new

Incorrect Authorization

  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: com.fasterxml.jackson.core:jackson-databind@2.22.0 and org.ligoj.bootstrap:bootstrap-business@3.3.6

Detailed paths

  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded com.fasterxml.jackson.core:jackson-databind@2.22.0
    Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.22.1.
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider@2.22.0 com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-base@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider@2.22.0 com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider@2.22.0 com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-base@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider@2.22.0 com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 io.swagger.core.v3:swagger-integration-jakarta@2.2.51 io.swagger.core.v3:swagger-core-jakarta@2.2.51 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 io.swagger.core.v3:swagger-integration-jakarta@2.2.51 io.swagger.core.v3:swagger-core-jakarta@2.2.51 com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Incorrect Authorization in the deserialization process when handling properties annotated with both @JsonView and @JsonUnwrapped. An attacker can modify data that should be restricted to a higher-privileged view by supplying crafted JSON input.

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.18.9, 2.21.5, 2.22.1 or higher.

References

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.apache.httpcomponents.core5:httpcore5-h2
  • Introduced through: org.apache.httpcomponents.client5:httpclient5@5.6.1 and org.ligoj.bootstrap:bootstrap-business@3.3.6

Detailed paths

  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.apache.httpcomponents.client5:httpclient5@5.6.1 org.apache.httpcomponents.core5:httpcore5-h2@5.4
    Remediation: Upgrade to org.apache.httpcomponents.client5:httpclient5@5.6.2.
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.apache.httpcomponents.client5:httpclient5@5.6.1 org.apache.httpcomponents.core5:httpcore5-h2@5.4

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of enforced limits in the HPackDecoder process. An attacker can exhaust system memory by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement applies the configured header list size limit.

Remediation

Upgrade org.apache.httpcomponents.core5:httpcore5-h2 to version 5.4.3, 5.5-beta2 or higher.

References

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.apache.httpcomponents.core5:httpcore5-h2
  • Introduced through: org.apache.httpcomponents.client5:httpclient5@5.6.1 and org.ligoj.bootstrap:bootstrap-business@3.3.6

Detailed paths

  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.apache.httpcomponents.client5:httpclient5@5.6.1 org.apache.httpcomponents.core5:httpcore5-h2@5.4
    Remediation: Upgrade to org.apache.httpcomponents.client5:httpclient5@5.6.2.
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.apache.httpcomponents.client5:httpclient5@5.6.1 org.apache.httpcomponents.core5:httpcore5-h2@5.4

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the HTTP/1.1 message parsing process. An attacker can exhaust system memory by sending messages with an excessive number of headers or excessively long headers.

Remediation

Upgrade org.apache.httpcomponents.core5:httpcore5-h2 to version 5.4.2, 5.5-beta1 or higher.

References

medium severity
new

Improperly Controlled Modification of Dynamically-Determined Object Attributes

  • Vulnerable module: com.fasterxml.jackson.core:jackson-databind
  • Introduced through: com.fasterxml.jackson.core:jackson-databind@2.22.0 and org.ligoj.bootstrap:bootstrap-business@3.3.6

Detailed paths

  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded com.fasterxml.jackson.core:jackson-databind@2.22.0
    Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.22.1.
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider@2.22.0 com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-base@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider@2.22.0 com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider@2.22.0 com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-base@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 com.fasterxml.jackson.jakarta.rs:jackson-jakarta-rs-json-provider@2.22.0 com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 io.swagger.core.v3:swagger-integration-jakarta@2.2.51 io.swagger.core.v3:swagger-core-jakarta@2.2.51 com.fasterxml.jackson.core:jackson-databind@2.22.0
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 org.apache.cxf:cxf-rt-rs-service-description-openapi-v3@4.2.2 io.swagger.core.v3:swagger-jaxrs2-jakarta@2.2.51 io.swagger.core.v3:swagger-integration-jakarta@2.2.51 io.swagger.core.v3:swagger-core-jakarta@2.2.51 com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.22.0 com.fasterxml.jackson.core:jackson-databind@2.22.0

Overview

com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.

Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the BeanDeserializerBase.createContextual() method, which applies the per-property exclusions through _handleByNameInclusion() and then rebuilds the property map from the unfiltered original, overwriting the filtered map and restoring every property the exclusion had removed. An attacker can set fields that were marked ignored, enabling mass assignment, by supplying those property names in untrusted JSON during deserialization. Exploitation requires case-insensitive property matching to be enabled via @JsonFormat with ACCEPT_CASE_INSENSITIVE_PROPERTIES alongside per-property @JsonIgnoreProperties.

Remediation

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.18.9, 2.21.5, 2.22.1 or higher.

References

medium severity
new

Improper Encoding or Escaping of Output

  • Vulnerable module: org.apache.logging.log4j:log4j-api
  • Introduced through: org.ligoj.bootstrap:bootstrap-business@3.3.6

Detailed paths

  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 org.apache.logging.log4j:log4j-api@2.26.0
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 org.apache.logging.log4j:log4j-core@2.26.0 org.apache.logging.log4j:log4j-api@2.26.0
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 org.apache.logging.log4j:log4j-slf4j2-impl@2.26.0 org.apache.logging.log4j:log4j-api@2.26.0
  • Introduced through: ligoj/plugin-id-ldap-embedded@ligoj/plugin-id-ldap-embedded org.ligoj.bootstrap:bootstrap-business@3.3.6 org.ligoj.bootstrap:bootstrap-core@3.3.6 org.apache.logging.log4j:log4j-slf4j2-impl@2.26.0 org.apache.logging.log4j:log4j-core@2.26.0 org.apache.logging.log4j:log4j-api@2.26.0

Overview

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the MapMessage.asJson() method, which emits the bare NaN, Infinity, or -Infinity tokens instead of an RFC 8259-compliant representation. An attacker can emit malformed JSON that corrupts the enclosing log record or disrupts downstream log ingestion and parsing by supplying non-finite floating-point values that the application records in a logged MapMessage. Exploitation requires the application to use the message resolver of JsonTemplateLayout, or another layout relying on MapMessage.asJson(), and to log a MapMessage holding attacker-controlled floating-point values.

Note: This is a bypass of the fix for the vulnerability described in CVE-2026-34481.

Remediation

A fix was pushed into the master branch but not yet published.

References