Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2020-35728
Good to know:
Date: December 26, 2020
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
Language: Java
Severity Score
Related Resources (16)
Severity Score
Weakness Type (CWE)
Deserialization of Untrusted Data
CWE-502Top Fix
Upgrade Version
Upgrade to version copam/phpjasper7 - v1.0;rdpascua/jasperstarter - no_fix;rdpascua/jasperstarter - dev-master;AllureReport.Generator - no_fix;DataX.Spark - no_fix;smart145/phpjasper - 3.0.1;smart145/phpjasper - 3.3.2;smart145/phpjasper - 3.3.0;smart145/phpjasper - dev-century_gothic_font;smart145/phpjasper - dev-add-missing;smart145/phpjasper - v1.0;smart145/phpjasper - no_fix;smart145/phpjasper - dev-master;polozpavlo/allure - no_fix;muhammettotan/phpjasper - no_fix;geekcom/phpjasper - no_fix;geekcom/phpjasper - v1.0;minkbear/phpjasper - no_fix;minkbear/phpjasper - v1.0;anshul-netgen/jasper-report - no_fix;stradaaccellog/phpjasper - v1.0;dstecnologias/phpjasper - no_fix;erw/phpjasperstarter - no_fix;copam/phpjasper - v1.0;copam/phpjasper - no_fix;penblu/jasperphp - no_fix;drsoft/laraveljasper - no_fix;logstash-binary - no_fix;GridGain - 8.7.11;jheferson-br/phpjasper - no_fix;merlinthemagic/mtm-signal-api - no_fix;com.fasterxml.jackson.core:jackson-databind:2.11.4;com.fasterxml.jackson.core:jackson-databind:2.8.11.6;com.fasterxml.jackson.core:jackson-databind:2.8.11.6;com.fasterxml.jackson.core:jackson-databind:2.12.0-rc1;com.fasterxml.jackson.core:jackson-databind:2.8.0.rc1;com.fasterxml.jackson.core:jackson-databind:2.9.10.8;org.optaweb.employeerostering:optaweb-employee-rostering-backend:no_fix;org.jboss.eap:wildfly-client-all:no_fix;org.kie.kogito:dmn-springboot-example:1.6.0.Final;org.wildfly.security:wildfly-elytron:1.15.18.Final;org.wildfly.security:wildfly-elytron:1.15.13.Final;org.wildfly.security:wildfly-elytron:1.19.1.Final;org.wildfly.security:wildfly-elytron:1.15.12.Final;org.wildfly.security:wildfly-elytron:1.15.17.Final;org.wildfly.security:wildfly-elytron:1.15.10.Final;org.wildfly.security:wildfly-elytron:1.15.14.Final;org.wildfly.security:wildfly-elytron:1.15.15.Final;io.hawt:hawtio-default:2.0.2;io.hawt:hawtio-default:2.0.2;io.hawt:hawtio-default:2.0.2;org.kie.kogito:dmn-pmml-springboot-example:1.6.0.Final;org.apache.camel:camel-example-activemq-tomcat:2.18.2;org.optaweb.vehiclerouting:optaweb-vehicle-routing-backend:no_fix;org.optaweb.vehiclerouting:optaweb-vehicle-routing-backend:no_fix;org.kie.kogito:dmn-listener-springboot:1.6.0.Final;org.kie.kogito.examples:dmn-drools-springboot-metrics:1.6.0.Final;org.optaweb.employeerostering:employee-rostering-backend:no_fix;org.kie.kogito.examples:ruleunit-springboot-example:1.6.0.Final;org.amqphub.jca:resource-adapter-thorntail-example:no_fix;org.kie.kogito:pmml-springboot-example:1.6.0.Final;org.optaweb.employeerostering:optaweb-employee-rostering-standalone:no_fix
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | HIGH |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | HIGH |
| Availability (A): | HIGH |
CVSS v2
| Base Score: |
|
|---|---|
| Access Vector (AV): | NETWORK |
| Access Complexity (AC): | MEDIUM |
| Authentication (AU): | NONE |
| Confidentiality (C): | PARTIAL |
| Integrity (I): | PARTIAL |
| Availability (A): | PARTIAL |
| Additional information: |